The FBI Is Now Securing Networks Without Their Owners’ Permission

In January, we learned about a Chinese espionage campaign that exploited four zero-days in Microsoft Exchange. One of the characteristics of the campaign, in the later days when the Chinese probably realized that the vulnerabilities would soon be fixed, was to install a web shell in compromised networks that would give them subsequent remote access. Even if the vulnerabilities were patched, the shell would remain until the network operators removed it.

Now, months later, many of those shells are still in place. And they’re being used by criminal hackers as well.

On Tuesday, the FBI announced that it successfully received a court order to remove “hundreds” of these web shells from networks in the US.

This is nothing short of extraordinary, and I can think of no real-world parallel. It’s kind of like if a criminal organization infiltrated a door-lock company and surreptitiously added a master passkey feature, and then customers bought and installed those locks. And then if the FBI got a court order to fix all the locks to remove the master passkey capability. And it’s kind of not like that. In any case, it’s not what we normally think of when we think of a warrant. The links above have details, but I would like a legal scholar to weigh in on the implications of this.

Tags: , , , , , ,

Posted on April 14, 2021 at 9:56 AM69 Comments

Comments

benjamin shropshire April 14, 2021 10:37 AM

I’d actually be more okay with Joe Random “Vigilantly” scanning for and crippling web shells than the FBI doing it. Which is not to say I’d be particularly okay with either.

That said, scan-and-notify? That I could get behind, but still; not the FBI’s jobs.

JonKnowsNothing April 14, 2021 10:48 AM

a MSM report indicated the FBI would remove the backdoor shell but NOT fix the vulnerability.

Removing one fox from the hen house, but leaving the doors open.

Bob Easton April 14, 2021 10:54 AM

It would be very interesting to know how they square these actions with the 4th Amendment?

Bryan April 14, 2021 11:00 AM

I’d actually much prefer if these vulnerable machines were just removed from the net (I’m assuming they were notified months ago). The organizations running them needs to see the cost of no action.

Tom Davis April 14, 2021 11:28 AM

Because the shells are usable by anyone who knows about them, a better analogy might be an antagonist opened windows in a number of homes for the purpose of gaining entry later and the FBI received warrants allowing them to trespass in order to shut those windows.

Chelloveck April 14, 2021 11:36 AM

This seems like a bad idea. It sets the precedent that the FBI can act to secure private systems, and the precedent that it’s the FBI’s responsibility to do so. I can imagine the word “secure” being reinterpreted over time to mean pretty much whatever they want it to mean. Hopefully there’s language in here which limits the scope to this particular exceptional situation.

@Bruce, if you do find any discussion by a legal scholar please give us a link. I’d like to read it too.

I wonder if any security researchers have existing honeypots using this compromise, which the FBI will shut down. I also wonder if any researchers are going to quickly set up a honeypot system specifically to snare the FBI and find out exactly what they’re doing when they’re poking around “securing” it.

Humdee April 14, 2021 12:09 PM

@Tom

If they have a warrant then by definition law enforcement is not trespassing.

@Bruce

Here’s the best analogy I would come up with. Rancher Tom owns a big cattle ranch in Texas with lots of barns on it. Unknown to him, his best friend Bob is using those barns to store illicit drugs in transit from one state to another. A mutual friend of Bob and Tom learns of the scheme and tells Tom about it. Tom laughs and says Bob would never do a thing like that and never even goes to looks in his barns. So the mutual friend turns informant to the FBI. The FBI gets a warrant, searches the barns, seizes the drugs, and then destroys them to help “fix the problem of illicit drug trafficking”.

Where exact;y is the problem with what the FBI did? Is that problem the motive the FBI had for seizing the drugs which seems too generic? Is the problem that the FBI had a warrant for lots of locations at once so it looks like a general warrant? Is the problem that there was no way to seize the contraband without destroying it (in the case of the computer file)? If there is anyone of these three that bothers me it’s the second but that is more of a technical problem than a policy problem. Otherwise the warrant seems right to me.

Vesselin Bontchev April 14, 2021 12:11 PM

I cannot comment on the legal side of this but let me weigh in on the technical side.

Essentially, the FBI had the following options:

  1. Do nothing. Given that these webshells were very widespread (like, on hundreds of thousands of computers), and that the owners of the affected computers did nothing to remediate the situation (either because they couldn’t or because they didn’t care), this would have been a sub-optimal decision. The webshells were initially meant for espionage but after the bug became public all sorts of cyber criminals started using them, from installing cryptominers to ransomwaring the companies affected.
  2. Fix the problem properly. In this case this means (a) removing the webshell, (b) closing the vulnerability, and (c) cleaning the machine from any other malware installed on it. Unfortunately, (b) means updating the Exchange server, which is far from a trivial thing to do even for an experienced local system administrator. The FBI messing with it remotely would have beeb guaranteed to cause damage to some systems. Similarly, (c) requires a full incident response engagement, which is again hard to do remotely and without the owner’s consent and cooperation. It’s not a matter of “remove this known malware” – it is a matter of “do a full investigation of the machine and the network it is connected to and try to figure out what the attackers might have done to it”. Clearly impractical and error-prone.
  3. Remove the easy access vector (the webshells) and try to notify the owner. This is a kind of a compromise and while certainly not the best and most rigorous solution, it strikes me as better than doing nothing and less likely to cause damage than if they did anything more.

So, from a technical point of view, I think that they did they best, given the circumstances.

xcv April 14, 2021 12:32 PM

@ O.P.

On Tuesday, the FBI announced that it successfully received a court order to remove “hundreds” of these web shells from networks in the US.

This is nothing short of extraordinary, and I can think of no real-world parallel.

It doesn’t make sense to me either. It’s Microsoft Corporation proprietary software, sold “as is”, off the shelf without any implied warranties of fitness for a particular purpose.

I don’t think anyone is successfully suing Microsoft for damages over it, and moreover the issuance of security patches and removal of web shells are all part of Microsoft’s normal business — which Microsoft or any major corporation would be doing anyways — and then there are D.O.J. employees showing up for work all of a sudden on a court-ordered basis at a private enterprise — outside their normal purview of crime and punishment — without any direction from supervisors or coordination from other employees who are already working on Microsoft software, and doing everything they can to fix the problems — which the government is only making worse by their meddling.

But every courthouse in the United States is running on Microsoft’s legal-industry-specific software products. Lexis-Nexis databases, title deed and recording software, court filing software, etc. So some guy is going to end up in the federal penitentiary, and all the court records will be deleted, altered, or hacked on Microsoft software, and after a few years, nobody can even look up any records as to why the guy’s in prison, but they’re never going to let him out, because he’s been classified as a violent felon in the federal prison population.

It makes me wonder what they classify as “violent crime” or not, because pulling the trigger of a handgun with your finger is no more violent than striking a key on a computer keyboard with the same finger — and consequences no longer matter in court — because modern courts no longer require the third of three elements necessary to convict a crime since the time of the ancient Romans, namely

#1. mens rea;
#2. actus reus; &
#3. noxa rea.

The ancient Romans insisted that if (#1) it wasn’t something you intended to do, or (#2) it wasn’t something you really did, or (#3) you did not really harm anyone — then you didn’t commit a crime, and therefore you could not be convicted of a crime.

Modern courts on the other hand have repealed the classical third necessary element of conviction for crime, and omitted due process by either imposing punishment for harmless or victimless acts, or by falsely imputing harm (noxa) where none exists.

Etienne April 14, 2021 1:03 PM

A better solution would be to classify Microsoft Exchange Server a weapon of mass destruction (WMD), and owners would have to register these assault weapons, or be fined and/or imprisoned for possessing contraband.

xcv April 14, 2021 1:12 PM

@ Etienne

A better solution would be to classify Microsoft Exchange Server a weapon of mass destruction (WMD), and owners would have to register these assault weapons, or be fined and/or imprisoned for possessing contraband.

And in fact that’s exactly the way “Microsoft Exchange Server” is sold.

You need a software license key or possibly even some physical token from Microsoft to use it, and if you don’t have the software license key or hardware dongle or whatever is required, or if you are found to have circumvented some DMCA provisions, then you will definitely be fined and/or imprisoned for possessing “counterfeit” software, or violating the copyright on Microsoft’s proprietary software code.

RML April 14, 2021 1:32 PM

“FBI personnel will access the web shells, enter passwords, make an evidentiary copy of the web shell, and then issue a command through each” of the web shells…”

“the FBI is attempting to inform all owners of the impacted computers about the operation…”

“unsealing [the order] will further enable the government’s reasonable efforts to provide notice of the search to some victims…”

Hmmm, you have to wonder where they got the passwords. That may be a bigger concern.

Winter April 14, 2021 1:40 PM

I do not see the legal problem here. The FBI obtained a court order, so they are in the clear.

If anyone, only the owners of the computers affected have standing to object to that procedure. They can go to a higher court and claim this order was unlawful and broke their civil rights.

Somehow, I do not see that happening.

Clive Robinson April 14, 2021 1:48 PM

@ Bruce, ALL,

Looking not on the legal side but the practical side of a US Gov agency carrying out such an order and where it could lead.

In theory this time the “malware” was “safe to remove”…

But most of us know it would have beem fairly easy for those puting this web shell onto machines to make it “embedded”[1].That way removing such a web shell becomes not the moderate risk this one apparently is, but high risk.

The problem is that the FBI have now set “expectations” that they will not just find systems that have been attacked, but clean them up.

That is many would now argue that the FBI has taken on the job of “securing the premises” after a burglary. That is that the FBI techs fix any such attack in future.

Well this has a knock on effect of it’s own.

Some may remember FBI & DoJ v Apple, where Apple argued that they had no obligations under some ancient bit of law to be “impressed into servitude”. Whilst the case got droped when the FBI&DoJ were fairly clearly going to loose thus have president set against them, this could rise again.

Thus the FBI could compel US companies to “fix the problem” for them. Whilst some would argue this is a good thing I would not for a couple of reasons,

1, This attack supposadly used four zero days, this time all in a single supplers code. But next time if it’s four different companies code and one or more decide to argue in court etc?

2, Who carries the liability when things go wrong as they inevitably will do?

3, How long befor the FBI & DoJ start to “broaden the scope” of compulsion to install back doors and the like as they originally tried to do with Apple?

Thus this action can be seen as partvof a salami slicing style approach where the FBI & DoJ get nearer their goals a tiny step at a time thus drag the judiciary little by little in a direction they would never go down if it was a single large step.

[1] That if for the web shell on instalation to have made a few shall we say “apparently random” changes to the sysyem it was on. So that in effect there were say 2^8 different web shell removal proceadures, get any one step wrong and the system either gets slagged or becomes toast. Thus making the web shell much more problematic to remove thus safer from removal from the attackers perspective.

Etienne April 14, 2021 1:49 PM

If the courts can allow the FBI can round-up Japanese Americans and intern them, what’s to stop them from taking servers and interning them?

I don’t see a problem, and anyway the new immigrants who will develop the new America in a new mold, don’t even use email.

Fed.up April 14, 2021 3:32 PM

@ Bob Easton, ALL

This is entirely legal without subpoena. In the recent Defense Authorization Act the Cybersecurity Vulnerability and Notification Act was included. https://www.govtrack.us/congress/bills/116/s3045

Even though it says it didn’t pass. Read carefully that it was embedded in another passed bill.

This bill gives the government the ability to force telcos to ID who is vulnerable. The government can then fix that vulnerability without subpoena or notification to the vulnerable party. Includes both government agencies and the private sector.

If the FBI is reading this, please fix my devices. Tech support at one of Big Tech told me yesterday that I need to abandon and disassociate from anything associated with a Microsoft ID. They did not disagree when I asked if they were telling me to discard my devices too. When I hung up with them, they shut down my connection to their cloud and all of their services to my devices. I know that my personal devices are compromised due to my former employer. It is getting worse.

It’s awful for everyone to pretend that this is just impacting businesses, because if it propagated through Authenticator it’s hitting everyone that used it.

I wish I knew what PowerShell scripts to look for. Does anyone know of a PowerShell cheat sheet where I can look up by Event ID and see whether it’s ok?

Fed.up April 14, 2021 4:00 PM

But I also suspect that the FBI won’t be able to help those organizations relying on offshore MSP’s which is about 90% of the critical infrastructure, including government agencies . To protect them, they may need to cut off their MSP.

I think the most risk is coming from MSP’s. No one even knew that SolarWinds was installed, Arms length contracting is the norm.

Anon April 14, 2021 4:14 PM

Lets just go over again what the Fourth Amendment says:

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

So…..what did the FBI “seize”? What were they searching for?

So if I own a server, that is in by account falls under “effects”…..

So why does the court consider this a “search and seizure” in the first place? Because the FBI told them, and they needed a warrant to “fix” my effect?

My effect in itself did not conduct a criminal act, and as the owner, I did not commit a criminal act either because an outside criminal element hacked my server.

The FBI is more than welcome to get off its rear and inform me that I might have been hacked by a criminal element, do the following steps to rectify the issue. They had no business going into a court of law to get a warrant to do any of this.

If you were a victim of this violation of the FBI going into your server to “help you” get you legal team out to file a suit against the government for an unreasonable search and modification of your servers without your consent.

Because if you don’t, the FBI will continue this bad behavior and justify going into systems…..they are then no better than the hacker breaking in to your system in the first place.

So much for a legal scholar……a child could figure this out…..

xcv April 14, 2021 4:30 PM

@ Winter • April 14, 2021 1:40 PM

I do not see the legal problem here. The FBI obtained a court order, so they are in the clear.

If anyone, only the owners of the computers affected have standing to object to that procedure. They can go to a higher court and claim this order was unlawful and broke their civil rights.

Somehow, I do not see that happening.

No. You’re saying a street whore obtained a restraining order, and therefore the defendant has lost his gun rights and must register as a sex offender for the rest of his life.

That will never pass as due process, and that’s where the courts martial and international war crimes tribunals begin to take over the jurisdiction which has been ceded by the civil courts of the land.

There’s a Constitution, and and Oath to uphold the Constitution. That court is too far off in left field.

name.withheld.for.obvious.reasons April 14, 2021 4:40 PM

Once more into the breach my comrades, we have yet to correct the unrelenting violation of constitutional rights in current operational efforts of the IC’s. What’s next, weaponizing private parties resources to attack another country? Quarting digital soldiers in citizen’s systems and networks? Mounting attacks that are essentially acts of war from citizen’s home networks?

If you think this is not possible, then read Presidential Policy Directive 20, that should inform and instruct your perceptions of what the U.S. government sees as “limits”.

xcv April 14, 2021 4:52 PM

@ name.withheld.for.obvious.reasons

Very legitimate questions to ask:

What’s next, weaponizing private parties resources to attack another country?

By far the vast majority of private parties would much live in peace in their own country with their own resources as long as their armories are not being illegally raided.

Quarting digital soldiers in citizen’s systems and networks?

And we’re all “drawn and quartered” already — issued a photo ID by the state with a picture or “drawing” of our face and the address of our residence or living “quarters” on it.

In the old days of course they compared it to being drawn apart four ways at once by horses. Now we have motorized vehicles instead of horse-drawn carriages, but we’re still “drawn and quartered” on the road just as we were in medieval times.

name.withheld.for.obvious.reasons April 14, 2021 4:53 PM

This slippery slope has been headed in all our directions for quite some time. It is almost amusing that anyone can be surprised by these developments. Where is the substantive push back against the direct assault on the civilian population, the “in-your-face” hubris that is slowly, but surely, eroding the United States into a full blow fascist state.

In the past two years I’ve been frantically writing of the “greater-than-a-toe-hold” of our institutions and systems by the very actors for whom the political class provides great praise. Prior to that I have focused mainly on the operational and component level assaults we are all familiar with, thank you Edward Snowden for providing the concrete evidence (I retired my tinfoil hat in late 2012).

If your not primed by now, then I don’t see how this changes. The conclusion that is obvious is in front of all to see, yet somehow we cannot be bothered to resist.

name.withheld.for.obvious.reasons April 14, 2021 5:13 PM

@ xcv
I see the quarting of soldiers as parallel to the what the 3rd Amendment to the Constitution under the Bill of Rights affirms.

Fed.up April 14, 2021 5:16 PM

The operation is complete.

The FBI didn’t notify owners because doing so could compromise the operation. I tend to agree with that given the comments about how wrong this was.

My sense is they got a warrant because there might be litigation as a result of this. Not directed against the FBI but possibly Regulators will want to know the identities of any public company or Federal Agency they remediated because the US regulates Cybersecurity. It is not optional. The FBI did take evidence during the operation.

https://www.bleepingcomputer.com/news/security/fbi-nuked-web-shells-from-hacked-exchange-servers-without-telling-owners/

SpaceLifeForm April 14, 2021 8:43 PM

@ Fed.up

The operation is complete.

In one way, yes. But, I think it just got rolling.

When all of this started, there were many threat actors planting webshells.

Some of the exchange servers would have multiple webshells.

But, in this instant case, it looks like FBI went after one specific threat actor.

They had the password to the webshell, and directed the webshell to remove itself.

But, the server is still vulnerable.

So, what can happen? Well, the threat actor may discover that they lost access.

But, because the server is still vulnerable, the threat actor may re-implant the webshell.

Now, imagine that this operation was coordinated with NSA, and NSA was directed to look for specific traffic over the internet. And capture the traffic when the threat actor re-implanted the webshell.

So, if this is the case, that would explain why there would be no notification immediately to the server owner. That was part of the warrant. Instead of immediate notification (which would probably leak), the notification was held back.

Why? To allow the threat actor to re-implant the webshell.

Now, that the news is out, that tells me that they have captured the traffic and now have much better intel regarding the threat actor.

John Madincea April 14, 2021 8:45 PM

I certainly understand the need to clean things up, but why not go through normal channels like Microsoft Malicious Software removal tool?

Also, what if someone set-up up a honeypot to “study” the traffic?

SpaceLifeForm April 14, 2021 9:38 PM

@ RML

The passwords are hard-coded in the webshell.

Find the webshell, and you can find the password.

Honeypot servers are perfect for that.

SpaceLifeForm April 14, 2021 10:12 PM

@ John Madincea

I certainly understand the need to clean things up, but why not go through normal channels like Microsoft Malicious Software removal tool?

That will not help if the org has no full time admin. That is a manual step. There are many small orgs that do not have a full time admin, and no one technical enough to understand the process of patching. They hopefully have an on-call admin, but I’m sure they are pretty busy these days.

Also, what if someone set-up up a honeypot to “study” the traffic?

See above.

SpaceLifeForm April 14, 2021 11:37 PM

@ Fed.up, Clive

I think the packet capture was good.

Hunch: the SolarWinds Orion backdoor came about via the Microsoft Exchange vulnerabilities.

But, you never know for certain.

Watch for this in about 12 hours.

“likely sanctions for about dozen individuals and 20 entities. And will expel about 10 Russian officials and diplomats from U.S.”

SpaceLifeForm April 15, 2021 1:51 AM

@ Fed.up, Clive

LOL. I think it’s the other way around Dmitry. Nice spin.
You’re broke and you know it. No more money laundering.

hxtps://www.uawire.org/kremlin-russia-prepares-to-part-ways-with-visa-and-mastercard

Ross April 15, 2021 3:56 AM

Funny how most of the comments revolve around whether or not this is legal and not whether or not this needed to be done.

No one posting here in comments is likely to be a practicing federal criminal law attorney so practically no one is going to be qualified to issue an opinion on whether or not this is legal. Like Mr. Schneier said, this is a question of law for a lawyer, not the peanut gallery.

As for whether or not this is a good idea, let’s take another rational look.

Many people in the security industry have routinely noted that it’s not enough to issue patches for security vulnerabilities. Many times those patches are never installed due to either neglect, incompetence, or both resulting in the security landscape we have in the US today. This is now a national security problem due to the extraordinary extent of the problem. Hundreds of thousands of devices remain vulnerable from either EOL’ed software or hardware, and even supported software isn’t getting patched in the US alone, all reachable via the public Internet. These are not only a danger to their neglectful owners, but to the everyone using the Internet.
The US does NOT have a workable way of dealing with this threat. The NSA has tried over the years to help manage threats like this only to be locked into a cage because of political hysteria that have no technical nor social merit. The “market” will not deal with this threat because there’s no money in it. The company that can pay for proper security already is. That leaves these other companies creating the current cesspool for others to clean up. Consider this digital toxic waste and the FBI finally enforced a clean up order.
Until there is a federal framework – and yes it has to be federal because no state is going to be able to manage a comprehensive plan and the market won’t bother without coercion- then some agency needs to step up and handle at least the low hanging fruit. It might as well be the FBI, if not the NSA, as they happen to have the technical expertise to do things like this correctly. This isn’t as nefarious as people make this out to be. The reactions have been totally irrational. This problem requires a rational discussion and a comprehensive enforceable national policy much like industrial pollution and long term contamination did.
Performative screaming “but the FBI in my computerz!!!!!” is irrational and unhelpful.

xcv April 15, 2021 5:24 AM

The “market” will not deal with this threat because there’s no money in it.

Don’t be such a EFFin’ commie. There’s no money in porn.

The company that can pay for proper security already is.

And stop stealing our money to finance online extortion and protection rackets.

That leaves these other companies creating the current cesspool for others to clean up. Consider this digital toxic waste and the FBI finally enforced a clean up order.

Otherwise known as porn. A worthless, boring, non-issue not worth the time and money being spent on it on the federal employees payroll.

Winter April 15, 2021 6:14 AM

@xcv
“No. You’re saying a street whore obtained a restraining order, and therefore the defendant has lost his gun rights and must register as a sex offender for the rest of his life.”

What does the occupation of the person obtaining the restraining order have to do with the matter? Are sex workers not entitled to protection against aggression under the law?

I also do not see how sex-offender registration (which is an absurd concept in itself) and the right to bear fire arms (another absurd quagmire in the US) have anything to do with the FBI removing computer malware?

You have mentioned this before. Do you have a particularly obsessive hatred for sex workers and love of fire arms?

Is that not a very unhealthy combination of obsessions?

Chris Drake April 15, 2021 6:44 AM

I tried to get permission to do exactly this in Australia, from our ASD and Federal police – both refused.

I’d bought an old expired domain that I think was part of their C&C – every new infection pinged me and gave me a few minutes to log in with no passwords. I noticed this because … garbage traffic! It was almost a DDoS.

I had an “expect” script running to immediately change the passwords [telnet on them all worked] to lock the hackers out before they shipped firmware updates or whatever they do next, but had to take it down because the police were not amused.

Fed.up April 15, 2021 7:31 AM

@SpaceLifeForm

They did NOT bother with small business. That would have been an impossible scope. The law that gives them the right to do this solely as it pertains to the critical infrastructure private sector and government agencies. The critical sector is pretty broad but given we’ve had CCP posting disinformation on this board which was removed I would like to stay mindful about NOT helping the perps.

But I thank them for their posts.

But that is a brilliant assessment SpaceLifeForm – thank you. I won’t say what else I think. I want this to succeed and I think it will. Fingers crossed it will identify all that is wrong with cyber today. The first step to solving anything is identifying the problem. The problem is not only external.

I know people here default to hating and faulting the US Gov. But in this instance, I hope they succeed and I hope it results in furthering investment and attention on Cyber. I’m grateful they did this.

And no, I don’t work for the Gov. never did. I’m just fed up with the state of cyber. But today I have hope.

Fed.up April 15, 2021 7:53 AM

@Ross

I agree with you 100%. Someone was in one of my devices last night and I hope it was them. I’d very much welcome if it were.

Yesterday tried to connect to a Teams meeting on another machine and couldn’t make it work. After troubleshooting the usual suspects I noticed my firewall was altered and not only Teams was blocked. Someone whitelisted some very sketchy sites. Then later when I identified that it was the cause, after I cleaned it up the intruder then blocked my access to a Zoom meeting in real time yesterday too.

So an intruder sat in my computer all day long just to mess with my ability to attend interviews and meetings. I’m not a high value target. What other country has the resources to just mess with people who post on comments online?

I’m proud to be American and that we have the ability to communicate and speak our mind online.

When you spend all of your time focused on hating your adversary, it is a waste of time. You should be using that time to better yourself so that you don’t have adversaries. Success is how you win.

Teknowledgist April 15, 2021 8:45 AM

As I see it, the problem with all of the analogies around the government seizing/destroying things is that it’s not illegal to have those web shells. It is illegal for third-parties to use them, and having them is certainly stupid and likely to make the company liable for damages that occur when they are used illegally, but it is not illegal to have them.

For example, @HumDee’s analogy changes if instead of illegal drugs, Bob is storing large quantities of strike-anywhere matches on unstable shelving. Certainly stupid and likely to cause the barns to burn down, but not illegal. Even if other rancher’s cows are housed in those barns and were at risk, would the FBI would be allowed to just go in and seize/destroy the matches?

Clive Robinson April 15, 2021 8:49 AM

@ Ross,

Many times those patches are never installed due to either neglect, incompetence, or both resulting in the security landscape we have in the US today.

Err no that is the tail end of the process, and fixing it is a significant waste of resources all around.

You should go back a step or two and ask “Why is,development so bad, monthly if not weekly patches are required?”

One of the reasons IT companies are so wealthy is that they have rigged the market.

If you purchased or leased a car that was having to go to the shop for repairs almost weekly you would be screaming for,

1, Your money back.
2, Prosecutors to remove such dangerous prodects from the market place.
3, Legislators to pass further consuner protection laws.

And probably quite a bit more.

So the problem is not the lack of patching but crap products that need so much of it.

In effect “patching” is what Victorian artisans did, something broke they riveted or bolted a plate over the crack. Then not exactly unexpectedly the weight of the plate caused other issues thus more plates to get bolted/riveted on. Each in turn not just making the engine more likely to fail but less efficient and actually more likely to cause harm.

The artisanal nonsense only stopped when people started getting not just hurt but maimed ans killed. The out cry was such that Parliment was forced to bring in legislation.

Then supprisingly to many, the impossible to fix problems rather rapidly disapeared in the face not just of being put out of business but put to hard labour or even the rope in prison.

There is more than enough consumer protection legislation in place to fix the ICT market, but a compleate lack of political will to start applying it.

How long do you think it would take for the big ICT Corps to put there houses in order if they had good reason to believe that their business would be legally shut down and the directors and senior managers put away for 20-Life?

Before arguing otherwise remember that avoidable software malfeasance has already cost lives.

At the end of the day, “patching” is “puting a dirty plaster on where the bone has come through the flesh”. The correct solution for the victim is to set the bone correctly and give proper sterile care to the wound. The solution for everyone else is to stop the process that causes the bones to be broken in the first place.

Having the grubby hands of the FBI and DoJ running around doing a very much less than half ass job, is not realy solving anything, because whilst the script might be uninstalled the original vulnerabilities still remain for others to exploit and they almost certainly will do, and the chances are with a better script that can not be removed by the FBI.

Winter April 15, 2021 10:11 AM

@Clive
“So the problem is not the lack of patching but crap products that need so much of it.”

Can you point to an error/bug free non-trivial computer program? I have never seen one, nor heard about its existence.

In other words, how can we produce programs that do not need patching?

Greg Norcie April 15, 2021 10:50 AM

I am confused – how is this not a violation of the computer fraud and abuse act? I would like to better understand why the FBI can do this, but not a private citizen. Thanks for the help!

anon April 15, 2021 11:22 AM

I think someone (or ones) at the FBI should be fired and prosecuted for violating the CFAA, and the group at Microsoft should be co-defendants along with the judge that signed the order.

I think they should have simply notified the companies and had them contact Microsoft support for assistance.

If there ever was a slippery slope, this was it.

lurker April 15, 2021 1:13 PM

@Fed.up

When you spend all of your time focused on hating your adversary, it is a waste of time. You should be using that time to better yourself so that you don’t have adversaries. Success is how you win.

+1
Just how Sun Tze might have said it.

Ahmed April 15, 2021 1:34 PM

I think a good analogy is detecting a “spy” radar or other HW installed on corporations’ roofs, one they cannot remove themselves, and getting authorization to remove it (but not authorization to fix the physical security holes that lead to the criminals installing the devices).

The FBI is assuming the patches will be automatically applied. Otherwise these efforts are meaningless – everybody gets reinfected again, same day.

Clive Robinson April 15, 2021 1:54 PM

@ Ahmed,

The FBI is assuming the patches will be automatically applied.

No I think you will find that the FBI are hoping very much that,

1, Patches do not get applied.
2, The sites will be reinfected.

That way they can follow their usuall agender of demanding from the voted representatives that theu give the FBI more unconstitutional powers.

Clive Robinson April 15, 2021 2:47 PM

@ Winter,

Can you point to an error/bug free non-trivial computer program? I have never seen one, nor heard about its existence.

Well whilst you might not have seen one, I’m surprised you claim never to have heard of one.

Most ESA, NASA, and other flight systems are as bug free as their specifications[1]. Likewise much in the way of industrial control systems are rigously tested to specification, after all you do not want to be responsible for another Piper Alpha or similar.

I guess it also depends on what you mean by “non-trivial”. Back in the 80’s and early 90’s “embedded engineers” were producing software that was as bug free as their specifications. But back then the specifications were not just marketing wish lists, expanded out a little by others who do not know how to specify things correctly to remove any ambiguity[2].

However the development cycle of writing and testing assembler code to high reliability by hardware engineering standards was seriously long to the bug ridden slapped together code that was poorly specified at best for consumer PC software. Often the development time was around five times longer.

I’ve written many pieces of software that have been as bug free as their specifications and I’ve code out there in embedded products that is still running and has been nonstop for over a quater of a century. Whilst others have stopped not due to software error but hardware failure, or because an entire oil platform has been decommissioned.

The solution to software bugs is untangle the complexity and have actual meaningful specifications that do not alow for ambiguity. That then shifts the potential for vunerabilities upto the protocol level, and sometimes you can not make those error free due to the laws of physics and probability.

But in code especially consumer code for PC’s there is a very real set of problems.

Firstly ignoring anything that travels right to left (errors, exceptions etc).

Secondly moving “input error checking” left and “business logic” right.

Thirdly not designing systems so that on error or exception input can be returned to the left such that it can be multiplexed to another process so the input is not lost.

Fourthly, when is a blue screen of death acceptable in real life? When you run a company you do not want the accounts department to stop dead just because of an error, likewise the shop floor. So why is software alowed to commit suicide every day or so by design?

[1] You need to consider vulnerabilities in two ways, those that are a mistake in coding, and those that are due to mistakes in the specification. A classic example of the latter is how the network stack treates multiple TCP packets. The specification calls for what are considered duplicate packets to be dropped. This mistake in the specification gave rise to the trick where a state level attacker can see you request data from a server, and by routing the servers responses a longer way can get their packet in first… The fact the software does what the specification says is not a fault of the software or the people that coded it.

[2] When I was a lead engineer, I used to infuriate managment by picking specifications appart and sending back vast reams of questions to nail the darn things down. However they grudgingly admitted that my projects not only came in on time unlike others, importantly they rarely ever threw anything up in test or got maintainence requests. Thus expensive “mask programing” did not have to be redone during the project life time. Other engineers that picked up my source were horified at just how heavily commented it was, with on occassions apparently a whole paragraph per line in some sections. However they never had problems using it.

softweird April 15, 2021 3:43 PM

@winter, Clive Robinson

Most ESA, NASA, and other flight systems are as bug free as their specifications.

Or as good as the engineer interpreting them. I wrote the real-time manager for probably the first autonomous vehicle in the US, DARPA’s ALV. The requirements were ambiguous, vague, and sparse because autonomous vehicles were new. My code ran for the entire run of the project and was actually rather spartan.

In my experience, many software projects fail because developers want to create “cool” stuff, instead of building what the customer wanted.

And as any good software test manager knows, proper testing can mitigate problems. At one company, we used third-party users who were similar to our prospective users to test our product before it shipped. However, management almost never agrees to such a thing, because their pulled-out-of-their-rear schedule does not allow for it.

when is a blue screen of death acceptable in real life?

Given the comments of Bill Gates in recent years, on many subjects, it’s not surprising that Windows is quality-challenged.

Other engineers that picked up my source were horified at just how heavily commented it was

I worked at a company that had a culture of comment-free code. Their justification was that comments became stale because developers often did not maintain them. My comments were removed by the software manager after I checked-in my code (eventually I stopped adding comments). Not surprisingly, the system had strange bugs.

JonKnowsNothing April 15, 2021 4:10 PM

@Clive @All

re: Bug Free Software

As already mentioned Quality Specs is the prime driver of solid programming. Wand waving DWIM Specs (1) results in programs that neither meet expectations nor solve the intitial reason for request.

The other factor is the gutting of testing time and the correct application of tests. Currently, everything runs on scripts. Automated regression tests, to avoid re-introduced errors, are only as good as the maintenance-upkeep on the scripts. Any re-alignment of product code often results in orphaned scripts needed to track error conditions that never get updated-rewritten.

For critical systems Long Term Stability was mandatory. 20+100+250 days or more with zero errors were required.

An allocation of time problem continues to plague software development: the 90-90 rule.

The first 90 percent of the code accounts for the first 90 percent of the development time. The remaining 10 percent of the code accounts for the other 90 percent of the development time.
— Tom Cargill, Bell Labs

There is a corollary to this which might be called the 100-10 Rule

For any given project duration, Hardware and Software development will consume 100% of allocated PLUS 90% of all additional Allocated Time.

Testing will be required to do 100% of all tests within the remaining 10% of the Time, unless that 10% is also claimed for Hardware and Software Development.

If 200% of Allocated Time is taken by Hardware and Software, any testing done will be of Scant Use and a Miracle if it actually determines that the project is WAI and WAE and WAD. (2)

/Moi

1, DWIM Do What I Mean
2, WAI – Work as Intended / WAE – Work as Expected / WAD – Work as Defined

ht tps://en.wikipedia.org/wiki/Ninety-ninety_rule
(url fractured to prevent autorun)

vas pup April 15, 2021 5:19 PM

Tag – FBI
‘Skilled predator’ FBI boss harassed 8 women, watchdog finds

https://news.yahoo.com/skilled-predator-fbi-boss-harassed-164318917.html

“NEW YORK (AP) — One woman carried a ruler at FBI headquarters so she could smack James Hendricks’ hands when he reached for her legs and breasts. Another went home shaken after he tugged on her ear and kissed her cheek during a closed-door meeting.

And when Hendricks went on to lead the FBI’s field office in Albany, New York, in 2018, colleagues described him as a “skilled predator” who leered at women in the workplace, touched them inappropriately and asked one to have sex in a conference room, according to a newly released federal report obtained by The Associated Press.

==>Co-workers told investigators he surrounded himself with a “harem” of attractive women, was fixated on high heels and breasts, and was known for gawking at female agents as they walked down the hallway.

[Do they have for God sake Dress Code in FBI, i.e. no cleavage exposure, no tight pants/skirts, no high hills, length of the dress just one inch above knees? – VP]

The details of Hendricks’ sexual harassment — outlined in a 52-page report obtained under the Freedom of Information Act — have not previously been reported. The OIG blacked out Hendricks’ name in the report, but he was identified by law enforcement officials familiar with his case.

Drawing on interviews with more than a dozen FBI officials, the report traces Hendricks’ harassment to his time at FBI headquarters, where he served as a section chief in the Weapons of Mass Destruction Directorate. He was tapped in 2018 to lead ===>the Albany field office, where he supervised more than 200 agents and other FBI employees.

!!! FBI policy permits supervisors to pursue sexual relationships with subordinates [wow – vp] but requires them be disclosed so management “may determine whether remedial action, such as reassignment, is necessary to prevent interference with the FBI’s mission.”

The Office of Inspector General, however, said “the imbalance of power between superiors and subordinates could call into question the consensual nature of romantic or intimate relationships.”

My nickel: proper dress code for female office employees/agents (see my comment above in brackets) would eliminate most of such advances. Basic instinct could not be totally eliminated, (as you see nobody is immune) – just handled properly.

SpaceLifeForm April 15, 2021 6:09 PM

@ softweird, Clive, Winter, JonKnowsNothing

Spoken (or is it speaking?) of specs …

Two points. Ok, 3.

During a spec review meeting I had to endure a non-programmer say that the software should do X.

It took me some time to explain that was not going to happen, because the switch does not support that.

Your specs are incorrect. Stop with your magical thinking. Fix the specs. Don’t try to trap me in an losing position bitch.

And, she was truly a stupid bitch. Would leave 30 minute voice mail for me, DELETE. You can’t email me or just walk over?

I’m not wasting 30 minutes of my time when I am trying to fix bugs/problems in a multi-million LOCs application.

So, as I work my way thru the code, I encounter (in the basically un-commented C code), this comment:

“There is no code here because there was nothing in the spec” (inside a danglng else)

Waterfall and ISO 9001 are a complete joke.

SpaceLifeForm April 16, 2021 12:51 AM

@ Winter, Clive

Trivial, bug-free?

I guarantee that if you compile the program below the resulting binary has bugs.

int main()
{
exit(0);
}

Clive Robinson April 16, 2021 8:52 AM

@ Weather, SpaceLifeForm,

is that 0x00 or 0x3a?

Or any one of a number of strange 1byte to 8byte charecters your editor thinks might be the equivalent of an ASCII number zero.

But… remember exit() is a library function, and not only does it come with a whole load of bagage, it also “hides” a whole load of ugliness that is OS or environment dependent.

As an embedded programer one of the first things you learn is not to go with the standard library functions if you can avoid them… In part because you can not see into them and in part because there is a whole truck load of assumed “needed” functionality in them you realy realy do not need.

If you want to see a night mare writ large “printf() and friends” are realy realy something you do not need.

Oh and remember the C-lib interface to POSIX or unix syscalls is not pretty either.

The first time you write the likes of a terminal or other full duplex program you find out just how engrained “left to right” thinking is. For fun look up the select() and poll() family of lib functions. Heavy weight does not do justice to what effect they have on the kernel…

“Messy, messy, messy, is insufficient a comparison.

Weather April 16, 2021 2:36 PM

@clive slf
Int main();
Does it check for 0xf0000000?
Doesn’t the Os at the end of a program always calls exit() ?

Clive Robinson April 16, 2021 7:14 PM

@ Weather,

Doesn’t the Os at the end of a program always calls exit() ?

Long answer short “Environment and compiler dependent”.

Longer answer is “no, exit() is a library function” so if you do not load the library or it does not get linked in then no exit() does not get called (and breaks the stack). The bottom of main() just drops off to some address which is an object file that gets put in by the tool chain. What is in that file is upto you and it’s heavily environment dependent.

When I write embedded code I usually end the file with a “hard reset” because the program is not ment to terminate, except under major fault. Thus the system start up leverloader and BIOS code that does the major fault finding and diagnostics gets run.

However in even low level environments, I put in “logging and cleanup code” before handing back to the environment (as most people writing under CP/M or later PC-DOS / MS-DOS in the 70’s and 80’s did).

As I stopped the bad practice of puting great chunks of assembler code into a C front end the likes of atexit() became available along with “envp” in main(). In essence there are a couple of files the compiler chucks into your program that you don’t as a high level environment user ever realy get to think about. These are responsible for setting up and tearing down / cleaning up the “process space”. By making an interface to both the environment and the OS/kernel for the C-lib wrappers to sys-calls, the buffers for I/O streams (character) file systems (block) and the like. Then when you drop out of main() or exit() closing down open I/O and clean up the process space and handing it all back to the OS prior to falling back into the initiating environment space.

So in some cases all exit() does is look for atexit() call backs runs those in the reverse otder they were registered in and drops out.

But… Unlike dropping off the bottom of main which would involve “goto’s” or “far jumps” if used from within subroutiens etc, exit() can be called from anywhere.

Oh and don’t forget abort(), but we will save that for another day along with the SIGABRT signal and the other signals 😉

As the “skinny lady says” “It’s all messy, messy! MESSY” and stamps her foot or worse taps her toe, which is better than enduring “The fat lady singing” the swan song in tortured scales of anguish that grate on the ears like fresh chalk on a black board…

SpaceLifeForm April 17, 2021 12:52 AM

@ Weather, Clive, Moderator

Let’s look at variant

int main() {
return 0;
}

Note the return 0; that is a zero. it could be a -1, or a plus 42. It is an integer value. Convention is that zero means success, and other values mean whatever the invoking process wants to interpret meaning to the value. Most of the time, the invoker only cares about zero (success) or non-zero (bad stuff happened).

Typically, the invoker is a shell (ex: bash).

Note here, the code does not call exit() at all !

If you compile, and run just like my above example, you will see the same results.
How can that be you may wonder. There is no call to exit() !

It’s all part of the magic of the C Library which is going to be linked into the resultant binary as Clive noted.

And that is where there be dragons. The bugs.

Now, in this simple example, it is almost certain the program will not encounter any bugs and will always run as expected. But, you never know. It could actually fail before it even really gets going in the main() code.

You see, the real entry point into the executable, is not really main() !

It is really called _start(), which calls main() !

So, a return from main() to _start() will still result in a call to exit()

_start is in the C library code. when main() does a return X, _start will end up calling exit(X)

Now, here is the typical hello world program.

#include <stdio.h>
int main() {
printf("Hello, World!");
return 0;
}

Note also, that in order to call printf(), I had to tell the compiler some stuff via the #include

Which means the resultant binary will have extra C library code linked in.

More dragons in the binary. Probably will not hit any bugs in this example.

The C library does all kinds of stuff to simplify the coding effort. But, in C, you still have to be careful obviously.

If you are ever are trying to build some code, and you get this error:

undefined reference to main

You know you are having some fun!

Hmmm. Another markdown markup issue. The stdio.h include with the angle bracelets will not survive preview properly. the <stdio.h> will disappear even though it is inside the pre block. The pre is processed as I can see the font changed, and the indentation was maintained, but the html parser throws away the <stdio.h> because it sees it as invalid html even though it is inside of the pre block.

So, wherever you see the stdio.h with angle brackets I had to use the amper lt semi and amper gt semi to get the angle brackets to appear and for it not to just drop ‘<stdio.h>’.

Kinda bad as pre is for code snippets.

Weather April 17, 2021 1:12 AM

@slf all
“#include
int main() {
printf(“Hello, World!”);
return 0;
}

There is a bug in that, the compiler would probably insert a ‘and eax 0x00’, which depending on the sign, will trip overflow flag and cflag. So back to 0xf0000000, like you said if the other program test for 0x00 using unsigned int it will fail.
And ebp+offset would be called for printf, which based on injected or not counted for input, can cause problems.

JonKnowsNothing April 17, 2021 1:48 AM

@SpaceLifeForm, Clive, Weather, All

re: Deep diving to the Bottom Turtle

One can use the example SpaceLifeForm demonstrated to dive deeper into the mysteries of what happens when you “Turn on the Power”.

A good deal of mysterious stuff happens, even for the simplest of cards, motherboards. You follow turtles all the way down, until you find the single “start point” when power is applied.

Stuff happens.
Stuff continues to happen all the way up to the Top Turtle.

Until you sort out exactly what stuff happens for the First Turtle, and why or why not, you miss a good deal of the what can be Inserted Here.

Compilers ride on top of a lot of A Lot of Stuff. Operating Systems ride on top of a lot of More Stuff. Cards, Motherboards, chips, all ride on top of Plenty of Stuff. By the time you follow the Turtles to the Internet a good deal of Turtle Stuff has happened.

Once you find the Singularity Turtle, you may find a Stampede of Turtles.

===

note: A good many posts in the archives here, deal with hardware and software Turtle Soup.

SpaceLifeForm Code Example:

ht tps://www.schneier.com/blog/archives/2021/04/the-fbi-is-now-securing-networks-without-their-owners-permission.html/#comment-372609

ht tps://en.wikipedia.org/wiki/Turtles_all_the_way_down

  • “Turtles all the way down” is an expression of the problem of infinite regress.

(url fractured to prevent autorun)

Clive Robinson April 17, 2021 6:26 AM

@ JonKnowsNothing, SpaceLifeForm, Weather, ALL,

One can use the example SpaceLifeForm demonstrated to dive deeper into the mysteries of what happens when you “Turn on the Power”.

In the days of the Apple ][ I could tell you almost byte for byte what every assembler instruction did and why from power up reset to command prompt. Likewise a little later CP/M for the 8080 / Z80, and a little later CP/M 86 and the early stuff for IBM BIOS and up (Debug was your friend). But that was three to four degades ago… But in that time I wrote my own C compiler based on Small C (which is still around) and my own loader (linking was done as part of making the.com executable file, no DLL’s back then and Intel and Co had not realy got going on the .exe file format.

The .com file format was fairly simple you put your first assembler instruction at 0x0100 and got typing in debug. You had two choices talk to the hardware directly or talk to the BIOS which talked to the hardware for you. Talking to the hardware directly was even back then not a good idea but with an 8088 CPU that was externally 8bit running at just over 4MHz –yup 10^6 not 10^9– it was for instance the only way to get even a basic terminal program to talk above 300baud.

Whilst you can nolonger run old DOS .com files under Microsoft OS’s Linux on the other hand has a couple of projects where you can write and run code the old way and have the fun you used to have before all that “tool chain” nonsense got in the way.

There is something strange but liberating in writing files to pull into Debug and have it create the .com image in memory where you could test it assembler instruction line by line, or just type directly into Debug. Having to hand calculate branch and jump points or put in a jump to 0x0000 or branch to the previous instruction address and go back and change it later, or note addresses and forward calculate as you went…

It was the way most code was written back then unless you were comparatively well healed as a IBM PC was about 8 months take home money even for junior engineers, and Debug came with DOS as later did MS Basic that was also an editor. Having already splashed out a few years before on an Apple ][ Apple Pascal (UCSD P system) and Apple Fortran “to get ahead” and slightly later Apples Asembler, I had a big advantage (P-Code was portable) and set about writing an interpreter for the IBM PC (that sort of worked) and I would load it across the serial port. But I got addicted to writing 86ASM code usingvthe Apple to create and store files for Debug. So I never finished turning my P-Code interpreter into a polished product (though I still have it somewhere).

Much though I enjoyed Pascal (hated Fortran) BCPL with it’s O-Code and Hungarian notation convention “came a knocking” due to doing stuff with academics, then C, not that I could aford to buy a C compiler which were as much as the price of a PC (unless you used the BBC Model B, which is another story). Though many copies of “C” magically apprared, if you were going to sell code you had to get a legit compiler, so your options were “Pay a Kings Ransom” or “Cut your own”, then “The Small C Handbook” by James E Hedrix got published…

I’m not aware of any PDF downloads, because it’s a book I’d recomend reading if you can (certainly before leaping sight unseen into ‘the dragon book'[1]).

Failing that Dr Dobbs has a Small C compiler bundle “on-CD” zipped ISO you can download,

https://www.drdobbs.com/developer-network-small-c-compiler-book/184415519?queryText=%2522small%2Bc%2522

But before you start thinking about writing your own compiler or other tool, get comftable withvwriting in at least one assembly language[2].

[1] The so called ‘dragon book’ was and probably still is the book you get told to read on CS courses that include Compiler design, has a dragon and knight on the front cover. My slightly dog eared copy is from the corrected 1988 print,

“Compilers : Principles, Techniques, and Tools” by Alfred V. Aho et al, ISBM 0-201-10088-6

I know it has been updated. But if you do get a copy I would suggest you start not at the front but the back with the two chapters (11/12) on pragmatic aspects then look at Apendix A. That way you will see what the earlier chapters are about and why they are presented in the order they are. Starting with the early chapters is a good way to loose interest before you get started[2].

[2] My advice, don’t write a compiler from scratch, it is a big project. Either modify a simple existing one with the aid of the dragon book, or start with a simple “Four Function Calculator” then turn it into a simple “interpreter” you can go either towards Forth or towards BASIC, or if you have the early java book go towards a byte-code interpreter. Whilst BASIC is “oh so simple” it’s actually a bit of a bad move if you want to write a compiler. Bite the bullet and go down the Forth route as much that appears in compiler design appears in Fourth natively. If you do go down the byte-code route, make it a “Table-Interpreter” because this will help you write an “architectural neutral assembler” which is essential if you want your compiler to be used by other people. I did my first tool chain differently and that’s why I’m giving my “hindsight advice” the little extra you put in at the front pays big dividens down the line. A table interpreter I wrote I’ve seen others change it to a different CPU architecture and mnemonics in about a day. Oh one last thing use “a single type” of the largest integer, and use Hungarian naming of what types you want it to be (think of the principles explained behind C unions in the K&R C book). Such a type is what the CPU naturaly works with, and it’s meat and veg to an assembler level programer. If you feel you can not write safe code with only one data storage type (unsigned int of max bit width) then you are not realy ready to write an interpreter, assembler or compiler, or most other programs in the lower end of a tool chain.

name.withheld.for.obvious.reasons April 19, 2021 1:17 PM

For the most robust solution to a secure OS/application use the following MASM:

CALL ISSAFE

ISSAFE:
NOP
GOTO ISSAFE

SpaceLifeForm April 19, 2021 7:47 PM

@ name.withheld.for.obvious.reasons, Clive, Weather, JonKnowsNothing

LOL.

Reminds me of when I had to wrap all of the string functions in C via macros in C headers. In the ‘Olden Daze” of UNIX, a NULL ptr would point to a null string.

It would actually function. On a 3B2.

Porting the code to another arch, not so good.

So, for example, strcpy() would magically change into safe_strcpy(), where I would catch the use of NULL ptrs to string functions in, of course, the C Library.

I would log the use of NULL ptrs being passed to the string functions, and fix the problem on the fly.

The key point here is that this hack (truly a hack), allowed the program to continue.

To find higher level application bugs.

The log pointed to where the coding problem actually resided. Source file, line number.

Magic of the C preprocessor.

Clive Robinson April 19, 2021 11:44 PM

@ SpaceLifeForm,

It would actually function. On a 3B2.

Back around 93 when working in a Uni doing multi platform stuff, I kind of got fed up with the way the compilers were changing.

For instance Microsoft hid code in the run time such that a null pointer use caused the program to terminate with a short comment about trying to write to the null pointer use.

While Sun OS’s compiler did not and the MMU caused a seg-fault and core dump.

And other compilers did their own version of odd[1]…

I droped a note about this lack of tool chain consistancy on a news group thread, and got a reply from the “language lawyers” about “not in the standard” which kind of missed the point…

As a rule of thumb you want the heavy lift distributed in the tool chain so that what comes out the end is “fast, light and right” but with importance increasing in descending order. It is after all why the recomendation is “-Wall ++ and code for the cone of silence” these days. But I’ll be honest I prefered it when “lint first, then compile” and even “pretty print” post preprocessor was a diagnostic tool if you knew how to use it (don’t get me started on “dumb defs”[2] 😉

[1] With compilers for embedded systems you do not want gratuitous write via null pointer or similar to happen as that’s “welcome to the world of hard reset”, unless of course you do… Nor do you want god alone knows how much bloat in the code like Microsoft trying to hand hold developers who should know better and do there error and exception checks. So often they had compiler switches to turn the crap on and off depending on if hitting the fan was important or not (in development not, on a half billion dollar oil platform 100miles off shore definitely).

[2] Dumb defs belong in “obfuscated code contests” not as some kind of “I’m Macho badge”, yes there are times when they can make source code easier to read, but they have hidden pitfalls. Speaking of hidden pitfalls combined C and C++ compilers and type rules… Shall I just pull my hair out now over unions and casting pointers or just scream into the void…

Weather April 20, 2021 12:21 AM

@clive
I remember basic and pascal before we moved onto C ,one other student recommended directx for a game I was making. I’ve learnt a lot from that some hard skills some soft. I went to a interview one time and as I was walking out the door someone from phrocey network said that guys a cunt, looked them up recently they seem to be doing ok

Maxwell's Daemon April 21, 2021 10:21 PM

@ Winter,

“Can you point to an error/bug free non-trivial computer program? I have never seen one, nor heard about its existence.”

As with Clive Robinson, I have complex applications still in use for the last 34 years by the military that are completely bug and defect free. I’ve always used formal verification methods for the last 45 years, a combination of maths, logics, prepositional calculus, to insure that there was absolutely no possibility of a defect originating from my design. That isn’t to say that one couldn’t arise later, they often did due to hardware, operating system, and defects in tools such as the compiler. My code used various methods to detect and prevent such defects from existing undetected and when such conditions arose were swiftly captured and reported. The strangest aspect was the code was often as fast or faster than other implementations. I was a frequent attendee at various industry conventions and would go around to the vendors and deliver extensive documentation of defects in the product.

There was a reason for this practice. Yes, a slap-dash implementation might have taken a bit less time, although not by much. What differed from my practice and that of the rest of the industry had to do with consequences. Wearing the uniform meant I was subject to military justice. Every one of these implementations were used in a safety-critical context. Should they go awry, lives or mission critical failures would result. I would be facing a Courts Martial with the worst consequence being the cost of my life. Lesser penalties would be years of incarceration being guarded by a bunch of pissed-off US Marines who don’t like sailors anyway.

That’s the difference between my (previous) world and the so-called real world. There are no consequences to anyone and, as per EULA, until amended by federal statute, no recourse for the purchasers. I still use these methods IRL even for my “personal use” simply as they’ve both become ingrained and faster translating requirements to code.

Weather April 21, 2021 11:14 PM

@maxwell
I wasn’t army but did study there field manual, to say honestly the character, not the experience gives you the jobs.

Maxwell's Daemon April 23, 2021 12:30 PM

@Weather

Yes, character was involved, but what happened, as these jobs had nothing to do with my job as a field engineer, is I started with and continued to demonstrate a track record of delivering under budget and under time. I didn’t pad the jobs, indeed I cut times and budgets well below what outside contractors would take by several multiples, it’s just the way I rolled. Then again, I was taught by IBM engineers back in the 1970’s when they were the gold standard of doing it right. Their idea of doing it right was zero defect which is why I developed my processes to deliver that. Later, far later, I would find out that this was called formal verification.

Weather April 23, 2021 3:54 PM

121/256 their some misting byte, adjusted to easyer setting which should raise that value. Having trouble writing the parser, I can spot it in a second, but getting the code to.
256 range had a lot more even dispresition but still holds, 150 chars should at 99% prob get all the options, I might have to tweak the hash stage to get a clearer picture.

@maxwell
Not doubting your skills, just saying your a lucky donkey.

farm co worker April 27, 2021 6:44 PM

For the consumer there is less of it after interacting with it. For the prosumer there is more of it after interacting with it.

“if man made it man can break it.” WW Two Army bud.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.