The 25 Year Old BSD Bug

1983. The year of the IBM PC XT, the Apple Lisa, Pioneer 10 leaving the solar system, and Hooters opening up shop in Florida. It’s also the birthyear of a 25 year old BSD bug, squashed only a few days ago.

A few days ago, Marc Balmer, OpenBSD developer, received an email from an OpenBSD user. The email claimed that SAMBA would crash when serving files off an MS-DOS filesystem. Balmer got into contact with a few SAMBA developers who claimed that SAMBA uses a special workaround in order to function properly on BSD systems: the code for reading directories in all BSDs was flawed.

Understandably, Balmer’s first reaction was disbelief. “Of course my first reaction was to blame Samba,” he writes. Despite his initial reaction, he decided to dig deeper into this case, and he uncovered a bug that had been sitting in the code of all BSDs (including Mac OS X), including a lot of old releases. He confirmed the bug was already in 4.2BSD, released in August of 1983.

The bug itself? Well, I’m no programmer so the actual code is kind of gibberish to me, but I think I get the gist of the problem.

This code will not work as expected when seeking to the second entry of a block where the first has been deleted: seekdir() calls readdir() which happily skips the first entry (it has inode set to zero), and advance to the second entry. When the user now calls readdir() to read the directory entry to which he just seekdir()ed, he does not get the second entry but the third.

Marshall Kirk McKusick, the original developer of the *dir() library, commented on the issue in a personal conversation with Balmer:

As the original author of the *dir() library, you probably fixed one of my bugs . Prior to the *dir() commands, programs just opened, read, and interpreted directories directly. I had to update a shocking 22 programs (a large percentage of the programs available on UNIX at the time) to replace their direct interpretation of directories with the *dir() library calls.

This little bug’s fix was actually fairly trivial (as is common with these sorts of long-standing bugs): “The fix is surprisingly simple, not to say trivial: _readdir_unlocked() must not skip directory entries with inode set to zero when it is called from __seekdir().”

“Sorry that it took us almost twenty-five years to fix it,” Balmer adds, jokingly.

VXers slap copyright notices on malware

Malware authors have lifted a page from the legit software industry’s rule book and are slapping copyright notices on their Trojans.

One Russian-based outfit has claimed violations of its “licensing agreement” by its underworld customers will result in samples of the knock-off code being sent to anti-virus firms.

The sanction was spotted in the help files of a malware package called Zeus, detected by security firm Symantec as “Infostealer Banker-C”. Zeus is offered for sale on the digital underground, and its creators want to protect their revenue stream by making the creation of knock-offs less lucrative.

The copyright notice, a reflection of a lack of trust between virus creators and their customers, is designed to prevent the malware from being freely distributed after its initial purchase. There’s no restriction on the number of machines miscreants might use the original malware to infect.

Virus writers are essentially relying on security firms to help them get around the problem that miscreants who buy their code to steal online banking credentials have few scruples about ripping it off and selling it on.

In a blog posting, Symantec security researchers have posted screen shots illustrating the “licensing agreement” for Infostealer Banker-C.

The terms of this licensing agreement demands clients promise not to distribute the code to others, and pay a fee for any update to the product that doesn’t involve a bug fix. Reverse engineering of the malware code is also verboten.

“These are typical restrictions that could be applied to any software product, legitimate or not,” writes Symantec researcher Liam O’Murchu, adding that the most noteworthy section deals with sanctions for producing knock-off code (translation below).

In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code of your bot will be immediately sent to antivirus companies.
Despite the warning copies of the malware were traded freely on the digital underground days after its release, Symantec reports. “It just goes to show you just can’t trust anyone in the underground these days,” O’Murchu notes

After Long time !!!

Just thought of writing a BASIC program after almost 15 years !!!

AUTO

10 REM — Hi BASIC —
20 PRINT “HELLO WORLD! “
30 END

AUTO

10 REM — I STILL REMEMBER YOU —
20 PRINT “What is your name”
30 INPUT NAME$
40 PRINT “What is your age”
50 INPUT AGE
60 PRINT “What is date you born. Enter only the date”
70 INPUT DATE
80 PRINT “What is month you born. Enter only the month”
90 INPUT MONTH
100 DIFF = 2008 – AGE
110 NDIFF = DIFF
120 NUM = 1
130 IF MONTH 4 THEN GOTO 220 ELSE GOTO 270
220 FOR I = DIFF TO 2007 STEP 1
230 PRINT “Your “; NUM ; ” birthday was on “; DATE ;”/”; MONTH ;”/”; NDIFF
240 NDIFF = NDIFF + 1
250 NUM = NUM + 1
260 NEXT I
270 PRINT “Goodbye BASIC. I will love you forever !!!”
280 REM — End —
290 STOP

May 1, 1964: First Basic Program Runs

1964: In the predawn hours of May Day, two professors at Dartmouth College run the first program in their new language, Basic.

Mathematicians John G. Kemeny and Thomas E. Kurtz had been trying to make computing more accessible to their undergraduate students. One problem was that available computing languages like Fortran and Algol were so complex that you really had to be a professional to use them.

So the two professors started writing easy-to-use programming languages in 1956. First came Dartmouth Simplified Code, or Darsimco. Next was the Dartmouth Oversimplified Programming Experiment, or Dope, which was too simple to be of much use. But Kemeny and Kurtz used what they learned to craft the Beginner’s All-Purpose Symbolic Instruction Code, or Basic, starting in 1963.

The college’s General Electric GE-225 mainframe started running a Basic compiler at 4 a.m. on May 1, 1964. The new language was simple enough to use, and powerful enough to make it desirable. Students weren’t the only ones who liked Basic, Kurtz wrote: “It turned out that easy-to-learn-and-use was also a good idea for faculty members, staff members and everyone else.”

And it’s not just for mainframes. Paul Allen and Bill Gates adapted it for personal computers in 1975, and it’s still widely used today to teach programming and as a, well, basic language. (Reacting to the proliferation of complex Basic variants, Kemeny and Kurtz formed a company in the 1980s to develop True BASIC, a lean version that meets ANSI and ISO standards.)

The other problem Kemeny and Kurtz attacked was batch-processing, which made for long waits between the successive runs of a debugging process. Building on work by Fernando Corbató, they completed the Dartmouth Time Sharing System, or DTSS, later in 1964. Like Basic, it revolutionized computing.

Ever the innovator, Kemeny served as president of Dartmouth, 1970-81, introducing coeducation to the school in 1972 after more than two centuries of all-male enrollment.

The Race to Zero

The Race to Zero contest is being held during Defcon 16 at the Riviera Hotel in Las Vegas, 8-10 August 2008.

The event involves contestants being given a sample set of viruses and malcode to modify and upload through the contest portal. The portal passes the modified samples through a number of antivirus engines and determines if the sample is a known threat. The first team or individual to pass their sample past all antivirus engines undetected wins that round. Each round increases in complexity as the contest progresses.

There are a number of key ideas we want to get across by running this event:

1. Reverse engineering and code analysis is fun.

2. Not all antivirus is equal, some products are far easier to circumvent than others. Poorly performing antivirus vendors should be called out.

3. The majority of the signature-based antivirus products can be easily circumvented with a minimal amount of effort.

4. The time taken to modify a piece of known malware to circumvent a good proportion of scanners is disproportionate to the costs of antivirus protection and the losses resulting from the trust placed in it.

5. Signature-based antivirus is dead, people need to look to heuristic, statistical and behaviour based techniques to identify emerging threats

6. Antivirus is just part of the larger picture, you need to look at controlling your endpoint devcies with patching, firewalling and sound security policies to remain virus free.

We are not creating new viruses and modified samples will not be released into the wild, contrary to the belief of some media organisations

Above all we want the contestants to have fun!

Not so different

The following are programs written in Ada, C and Java that print to the screen the phrase “Hello World.”

ADA PROGRAMMING LANGUAGE

with Ada.Text_IO;
procedure Hello_World is
begin
Ada.Text_IO.Put_Line (“Hello World>br>from Ada”);
end Hello_World;

C PROGRAMMING LANGUAGE

#include

void main()
{
printf(“\nHello World\n”);
}

JAVA PROGRAMMING LANGUAGE

class helloworldjavaprogram
{
public static void main(String args[])
{
System.out.println(“Hello World!”);
}
}

The return of ADA

Last fall, contractor Lockheed Martin delivered an update to the Federal Aviation Administration’s next-generation flight data air traffic control system — ahead of schedule and under budget, which is something you don’t often hear about in government circles.

The project, dubbed the En Route Automation Modernization System (ERAM), involved writing more than 1.2 million lines of code and had been labeled by the Government Accountability Office as a high-risk effort. GAO worried that many bugs in the program would appear, which would delay operations and drive up development costs.

Although the project’s success can be attributed to a lot of factors, Jeff O’Leary, an FAA software development and acquisition manager who oversaw ERAM, attributed at least part of it to the use of the Ada programming language.

About half the code in the system is Ada, O’Leary said, and it provided a controlled environment that allowed programmers to develop secure, solid code.

Today, when most people refer to Ada, it’s usually as a cautionary tale. The Defense Department commissioned the programming language in the late 1970s.

The idea was that mandating its use across all the services would stem the proliferation of many programming languages and even a greater number of dialects. Despite the mandate, few programmers used Ada, and the mandate was dropped in 1997. Developers and engineers claimed it was difficult to use.

Military developers stuck with the venerable C programming language they knew well, or they moved to the up-and-coming C++. A few years later, Java took hold, as did Web application languages such as JavaScript.

However, Ada never vanished completely. In fact, in certain communities, notably aviation software, it has remained the programming language of choice.

“It’s interesting that people think that Ada has gone away. In this industry, there is a technology du jour. And people assume things disappear.

But especially in the Defense Department, nothing ever disappears,” said Robert Dewar, president of AdaCore and a professor emeritus of computer science at New York University.

Dewar has been working with Ada since 1980.

Last fall, the faithful gathered at the annual SIGAda 2007 conference in Fairfax, Va., where O’Leary and others spoke about Ada’s promise.

This decades-old language can solve a few of today’s most pressing problems — most notably security and reliability.

“We’re seeing a resurgence of interest,” Dewar said. “I think people are beginning to realize that C++ is not the world’s best choice for critical code.”

Tough requirements

ERAM is the latest component in a multi-decade plan to upgrade the country’s air traffic control system. Not surprisingly, the system had some pretty stringent development requirements, O’Leary said.

The system could never lose data. It had to be fault-tolerant. It had to be easily upgraded. It had to allow for continuous monitoring. Programs had to be able to recover from a crash. And the code that runs the system must “be provably and test-ably free” of errors, O’Leary said.

And such testing should reveal when errors occur and when the correct procedures fail to occur. “If I get packet 218, but not 217, it would request 217 again,” he said.

Ada can offer assistance to programmers with many of these tasks, even if it does require more work on the part of the programmer.

“The thing people have always said about Ada is that it is hard to get a program by the compiler, but once you did, it would always work,” Dewar said. “The compiler is checking a lot of stuff. Unlike a C program, where the C compiler will accept pretty much anything and then you have to fight off the bugs in the debugger, many of the problems in Ada are found by the compiler.”

That stringency causes more work for programmers, but it will also make the code more secure, Ada enthusiasts say.

When DOD commissioned the language in 1977 from the French Bull Co., it required that it have lots of checks to ensure the code did what the programmer intended, and nothing more or less.

For instance, unlike many modern languages and even traditional ones such as C and C++, Ada has a feature called strong typing. This means that for every variable a programmer declares, he or she must also specify a range of all possible inputs. If the range entered is 1- 100, for instance, and the number 102 is entered, then the program won’t accept that data.

This ensures that a malicious hacker can’t enter a long string of characters as part of a buffer overflow attack or that a wrong value won’t later crash the program.

Ada allows developers to prove security properties about programs. For instance, a programmer might want to prove that a variable is not altered while it is being used through the program. Ada is also friendly to static analysis tools. Static analysis looks at the program flow to ensure odd things aren’t taking place — such as making sure the program always calls a certain function with the same number of arguments. “There is nothing in C that stops a program from doing that,” Dewar said. “In Ada, it is impossible.”

Ada was not perfect for the ERAM job, O’Leary said. There are more than a few things that are still needed. One is better analysis tools.

“We’re not exploiting the data” to the full extent that it could be used, he said. The component interfaces could be better. There should also be tools for automatic code generation and better cross-language support.

Nonetheless, many observers believe the basics of Ada are in place for wider use.

Use cases Who uses Ada? Not surprisingly, DOD still uses the language, particularly for command and control systems, Dewar said. About half of AdaCore’s sales are to DOD. AdaCore offers an integrated developer environment called GnatPro, and an Ada compiler.

“There [are] tens of millions of lines of Ada in Defense programs,” Dewar said.

NASA and avionics hardware manufacturers are also heavy users of Ada, he said. Anything mission-critical would be suitable for Ada. For instance, embedded systems in the Boeing 777 and 787 run Ada code.

In all these cases, the component manufacturers are “interested in highly reliable mission- critical programs. And that is the niche that Ada has found its way into,” Dewar said.

In addition to AdaCore, IBM Rational and Green Hills Software offer Ada developer environments.

It also works well as a teaching language. The Air Force Academy found it to be a good language that inexperienced programmers could use to build robust programs. At the SigAda conference, instructor Leemon Baird III showed how a student used Ada to build an artificial- intelligence function for a computer to play a game called Connect4 against human opponents.

“A great part of his success was due to Ada’s features,” Baird said.

Although it was only 2,000 lines, the language allowed the student to write robust code.

“It had to be correct,” he said. The code flowed easily between Solaris and Windows, and could be run across different types of processors with minimal porting.

Programs written in an extension of Ada, called Spark, will be used to run the next generation U.K. ground station air traffic control system, called Interim Future Area Control Tools Support (IFacts).

Praxis, a U.K. systems engineering company, is providing the operating code —for IFacts. In 2002, England’s busiest airport terminal, London Heathrow Airport, suffered a software-based breakdown of its airplane routing system.

Praxis is under a lot of pressure to ensure its code is free from defects.

Praxis also used Spark for a 2006 National Security Agency-funded project, called the Tokeneer ID Station, said Rod Chapman, an engineer at Praxis. The idea was to create software that would meet the Common Criteria requirements for Evaluation Assurance Level 5, a process long thought to be too challenging for commercial software.

To do this, the software code that was generated had to have a low number of errors. The program itself was access control software.

Someone wishing to gain entry to a secure facility and use a workstation would need the proper smart card and provide a fingerprint.

By using Spark, a static check was made of the software before it was run, to ensure all the possible conditions led to valid outcomes. In more than 9,939 lines of code, no defects were found after the testing and remediation process was completed.

Although the original language leaned heavily toward strong typing and provability, subsequent iterations have kept Ada modernized, Dewar said. Ada 95 added object-oriented programming capabilities, and Ada 2005 tamped down on security requirements even further. The language has also been ratified as a standard by the American National Standards Institute and by the International Organization of Standards (ISO/IEC 8652).

Ada was named for Augusta Ada King, Countess of Lovelace, daughter of Lord Byron.

In the early 19th century, she published what is considered by most to be the world’s first computer program, to be run on a prototype of a computer designed by Charles Babbage, called the Analytical Engine. But don’t let the language’s historical legacy fool you — it might be just the thing to answer tomorrow’s security and reliability challenges.

Tools to access Linux Partitions from Windows

If you dual boot with Windows and Linux, and have data spread across different partitions on Linux and Windows, you should be really in for some issues.

It happens sometimes you need to access your files on Linux partitions from Windows, and you realize it isn’t possible easily. Not really, with these tools in hand – it’s very easy for you to access files on your Linux partitions from Windows

Explore2fs

Explore2fs is a GUI explorer tool for accessing ext2 and ext3 filesystems. It runs under all versions of Windows and can read almost any ext2 and ext3 filesystem.

Project Home Page :- http://www.chrysocome.net/explore2fs

C++ Historical Sources Archive

Abstract
This is a collection of design documents, source code, and other materials concerning the birth, development, standardization, and use of the C++ programming language.

1979 April
Work on C with Classes began
1979 October
First C with Classes (Cpre) running
1983 August
First C++ in use at Bell Labs
1984
C++ named
1985 February
Cfront Release E (first external C++ release)
1985 October
Cfront Release 1.0 (first commercial release)

The C++ Programming Language
1986
First commercial Cfront PC port (Cfront 1.1, Glockenspiel)
1987 February
Cfront Release 1.2
1987 December
First GNU C++ release (1.13)
1988
First Oregon Software C++ release [announcement]; first Zortech C++ release
1989 June
Cfront Release 2.0
1989
The Annotated C++ Reference Manual; ANSI C++ committee (J16) founded (Washington, DC)
1990
First ANSI X3J16 technical meeting (Somerset, NJ) [see group photograph, courtesy of Andrew Koenig]; templates accepted (Seattle, WA); exceptions accepted (Palo Alto, CA); first Borland C++ release
1991
First ISO WG21 meeting (Lund, Sweden); Cfront Release 3.0 (including templates); The C++ Programming Language (2nd edition)
1992
First IBM, DEC, and Microsoft C++ releases
1993
Run-time type identification accepted (Portland, Oregon); namespaces and string (templatized by character type) accepted (Munich, Germany); A History of C++: 1979-1991 published at HOPL2
1994
string (templatized by character type) (San Diego, California); the STL accepted (San Diego, CA and Waterloo, Canada)
1996
export accepted (Stockholm, Sweden)
1997
Final committee vote on the complete standard (Morristown, New Jersey)
1998
ISO C++ standard ratified
2003
Technical Corrigendum; work on C++0x started
2004
Performance technical report; Library technical report (hash tables, regular expressions, smart pointers, etc.)
2005
First votes on features for C++0x (Lillehammer, Norway); auto, static_assert, and rvalue references accepted in principle
2006
First full committee (official) votes on features for C++0x (Berlin, Germany)

Programmers At Work, 22 Years Later

In 1986, the book Programmers at Work presented interviews with 19 programmers and software designers from the early days of personal computing including Charles Simonyi, Andy Hertzfeld, Ray Ozzie, Bill Gates, and Pac Man programmer Toru Iwatani. Leonard Richardson tracked down these pioneers and has compiled a nice summary of where they are now, 22 years later.

Where Are They Now?

Charles Simonyi. Then, Microsoft programmer. Now: super-rich guy, space tourist, endowing Oxford chairs and whatnot. Works at Intentional Software.

Butler Lampson. Then, PARC dude. Now: a Microsoft Fellow.

John Warnock. Then: co-founder of Adobe. Now: retired, serves on boards of directors, apparently runs a bed and breakfast.

Gary Kildall: Then: author of CP/M. Died in 1994. The project he was working on in Programmers at Work became the first encyclopedia distributed on CD-ROM. He also hosted Computer Chronicles for a while.

Bill Gates. Then: founder of Microsoft, popularizer of the word “super”. Now: richest guy in the
world. After a stint in the 90s as pure evil, semi-retired to focus on philanthropic work.

John Page. Then: co-founder of the Software Publishing Company, makers of PFS:FILE, an early database program. Now: I’m not really sure. Here’s a video of him from 2006, so he’s probably still alive, but he’s not on the web. SPC was acquired in 1996. Through some odd corporate synergy the public face of the business now appears to be Harvard Graphics.

C. Wayne Ratliff. Then: author of dBase. Now: retired.

Dan Bricklin. Then: co-author of VisiCalc. Now: Has a weblog and lots of accessible historical information about his projects. Still runs Software Garden. Still looks almost exactly like his illustration in PaW, leading some to speculate on a “Spreadsheet of Dorian Gray” type effect. I secretly hope he will see this in referer logs and invite me to hang out with him.

Bob Frankston. Then: the other half of VisiCalc. Now: worked for Microsoft for a few years, now retired, has a weblog.

Jonathan Sachs. Then: co-author of Lotus 1-2-3. Now: semi-retired. Gives away Pocket PC software from his home page, and sells photography software as Digital Light & Color. More details in this 2004 oral history.

Ray Ozzie. Then: Lotus Symphony dude, left Lotus to write what would eventually be sold as Lotus Notes. Now: Chief Software Architect at Microsoft, after working for IBM and starting Groove Networks. Has a weblog, but hasn’t posted for about a year.

Peter Roizen. Then: author of T/Maker, a spreadsheet program. Now: programmer consultant. Inventor of a Scrabble variant that uses shell glob syntax.

Bob Carr. Then: PARC Alum, Chief Scientist at Ashton-Tate, author of Framework integrated suite. Now: founder of Keep and Share. In between: co-founded Go, worked for Autodesk. Doesn’t seem to have a web presence.

Jef Raskin. Then: Macintosh project creator, founder of Information Appliance. Died in 2005. His excellent web site is still up. Author of well-respected book The Humane Interface. The project he’s working on in PaW, the SwyftCard, was a minor success.

Andy Hertzfeld. Then: Macintosh OS developer. Now: works at the OSAF Google and hosts a bunch of websites, including folklore.org and Susan Kare’s site. (Incidentally, Susan Kare now works for Chumby.) In between: worked at General Magic and Eazel, which probably only people who read this weblog remember.
Most of the people profiled in PaW provide some sample of their programming or thought process. Hertzfeld has the best one: an assembler program that makes Susan Kare’s Macintosh icons bounce around a window.

Toru Iwatani. Then: designer of Pac-Man. Now: retired from Namco in 2007. Visiting professor at a Japanese university (the University of Arts in Osaka or Tokyo Polytechnic, depending on which source you believe). In PaW very proud of a game called Libble Rabble, which I’d never heard of. I believe PaW interview was for a while the only English-language information available about Iwatani.
Significantly, in a recent interview Iwatani refused to comment on Ms. Pac-Man’s relationship to Pac-Man. Possibly because Ms. Pac-Man is actually Pac-Man’s transgendered clone, and Namco doesn’t want word getting out.

Scott Kim. The only person mentioned in PaW I’ve met. Then: basically a puzzle designer. Now: still a puzzle designer. His website. Also has an interest in math education.

Jaron Lanier. Then: working on a visual programming/simulation language. Blows Susan Lammers’s mind with a description of virtual reality (see also “Virtual World” in Future Stuff). Now: scholar in residence at Berkeley, occasional columnist for Discover. Lots of stuff on his website. Here’s video of a game he wrote.