Readit News logoReadit News
survivedurcode commented on New Windows driver signature bypass allows kernel rootkit installs   bleepingcomputer.com/news... · Posted by u/sandwichsphinx
ruthmarx · a year ago
> lol UAC is such a lazy shitshow of a security implementation…

It's by far the most secure and well thought out implementation of an elevation prompt across all operating systems.

A lot of thought went into designing the Secure Desktop [1] used by UAC, and really mac and linux not having something similar is an embarrassment.

[1] https://learn.microsoft.com/en-us/archive/blogs/uac/user-acc...

survivedurcode · a year ago
I stand corrected, it is not a lazy shitshow.

You’re right, fake sudo prompts is how people get exploited all day long. I’ve witnessed it on MacOS.

For UAC, the user still has to learn that the darkening on the screen and the prompt is “serious business.” I think that when a password is present and has been willfully supplied, prompting the user for the password guards against automatic/accidental acceptance (button-only user confirmation prompts). I understand that many users have a joke password that might as well not be something that’s not really any more secure than a click on a button.

I see that Sudo for Windows has been restricted to Desktop only. https://hudsonvalleyhost.com/blog/microsoft-officially-exclu...

From the design article you linked, I know it’s 2006 era:

> You hide the real mouse cursor and show a fake one some number of pixels offset to the real one

I think MacOS only in the recent years has “Full Desktop Control” as an accessibility-category permission (a confusing category to boot) it enforces on apps to prevent faking the cursor.

survivedurcode commented on The C23 edition of Modern C   gustedt.wordpress.com/202... · Posted by u/bwidlar
pornel · a year ago
Because memory vulnerabilities don't make programs immune to other dumb mistakes. You get these vulnerabilities on top of everything else that can go wrong in a program.

Manual checking of memory management correctness takes extra time and effort to review, debug, instrument, fuzz, etc. things that the compiler could be checking automatically and reliably. This misplaced effort wastes resources and takes focus away from dealing with all the other problems.

There's also a common line of thinking that that because working in C is hard, C programmers must be smarter and more diligent, so they wouldn't make dumb mistakes like the easy-language programmers do. I don't like such elitist view, but even if true, the better programmers can allocate their smarts to something more productive than expertise in programs corrupting themselves.

survivedurcode · a year ago
> programmers can allocate their smarts to something more productive than expertise in programs corrupting themselves

Amen. This is called progress.

survivedurcode commented on The C23 edition of Modern C   gustedt.wordpress.com/202... · Posted by u/bwidlar
dxuh · a year ago
You can't just put a language in the bin that has been used for 50 years and that a huge percentage the present day software infrastructure is built on.

I see comments like yours everywhere all the time and I seriously think you have a very unhealthy emotional relationship with this topic. You should not have that much hate in your heart for a programming language that has served us very well for many decades and still continues to do so. Even if C was literally all bad (which imho isn't even possible), you shouldn't be that angry at it.

survivedurcode · a year ago
When you write C++, you can allocate memory all day long and write ZERO delete statements. That is possible, I’ve been writing C++ like that since 1998 (Visual C++ 5.0 and lcc). Can you imagine allocating memory and never risk a premature or a forgotten delete? It is not possible in C. You can call it opinion, but I see fact. That makes C all that bad.

When I say put it in the bin, I don’t mean that good software hasn’t been written already with it, or can’t be written with it. But you should stop using it given the earliest opportunity. When given the ability to write object-oriented software, clever engineers with too much time add insane complexity justified by unproven hypotheticals. Believe me, I know very well why people shy away from C++ like a trauma response. Overly-engineered/overly-abstracted complexity, incomprehensible template syntax, inadequate standard library, indecipherable error messages, C++ has its warts. But it is possible to write memory-safe software in C++, and it is not in C (unless we are talking about little code toys!). My answer is that you don’t have to write complicated garbage in C++. Keep it simple like you are writing C. Add C++ features only to get safety. Add polymorphism only when it solves a problem. Never write an abstract class ahead of time. Never write a class ahead of time.

Downvote me all day long. Call me angry. When billions of dollars are lost because someone, in our modern age, decided to write new software in C, or continue to develop software in C instead of switching to a mixed C++/C codebase with an intent to phase out new development in C.

It’s hard not to get angry when modern software is written with avoidable CVEs in 2020’s. Use after free, buffer overflows, are you kidding me? These problems should have been relics in 2010+, but here we are.

survivedurcode commented on New Windows driver signature bypass allows kernel rootkit installs   bleepingcomputer.com/news... · Posted by u/sandwichsphinx
beeboobaa3 · a year ago
It allows it's users to actually use their computer as a computer instead of a glorified phone.

MacOS nannies you left and right, preventing you from doing things you want to do because Apple says no.

Windows historically didn't have such restrictions because it's a desktop operating system and not a gimped phone. They're slowly being added, but it takes time to overhaul an entire architecture while maintaining backwards compatibility (which MacOS also doesn't care about at all).

Linux is of course far more "hackable" but there aren't as many computer illiterates using it.

survivedurcode · a year ago
LOL you should be upvoted as your comment perfectly captures the blind arrogance of the software industry.

When you call people computer illiterate, you are blind to the technocrat injustice imparted onto the general populace.

> The obnoxious behavior and obscure interaction that software-based products exhibit is institutionalizing what I call "software apartheid":”

> ― Alan Cooper, The Inmates Are Running the Asylum: Why High Tech Products Drive Us Crazy and How to Restore the Sanity

> “When programmers speak of "computer literacy," they are drawing red lines around ethnic groups, too, yet few have pointed this out.”

> ― Alan Cooper, The Inmates Are Running the Asylum: Why High Tech Products Drive Us Crazy and How to Restore the Sanity

You too can see the light and rise above the elitism of computer literacy. You know, there are many smart people that are too prideful to put up with what computer people demand as computer literacy. They suffer in silence, you will not have their loyalty, and they will switch to competing software the moment they are able to.

survivedurcode commented on New Windows driver signature bypass allows kernel rootkit installs   bleepingcomputer.com/news... · Posted by u/sandwichsphinx
admax88qqq · a year ago
The main difference is that UAC is automatically triggered by the OS and takes over the whole display making it harder to fake/intercept. It’s trivial to put a fake sudo in someones PATH and steal their password
survivedurcode · a year ago
lol UAC is such a lazy shitshow of a security implementation…

A) there is no interception to be had. It’s a fucking “Yes I am Admin” single click a child could do unsupervised.

B) It requires training for the user to know that this is a special UAC mode. That’s high-motivation, high-knowledge user training. Pilots train to recognize unusual signs. Your grandma does not train to recognize what UAC looks like, why it would come up and when. UAC is the biggest cop out of a security excuse and Windows should be ashamed.

survivedurcode commented on The C23 edition of Modern C   gustedt.wordpress.com/202... · Posted by u/bwidlar
survivedurcode · a year ago
Continuing to use a memory-unsafe language that has no recourse for safety and is full of footguns and is frankly irresponsible for the software profession. God help us all.

By the way, the US government did the profession no favors by including C++ as a memory-unsafe language. It is possible to write memory-safe C++, safe array dereferencing C++. But it’s not obvious how to do it. Herb Sutter is working on it with CppFront. The point stands that C++ can be memory-safe code. If you make a mistake, you might write some unsafe code in C++. But you can fix that mistake and learn to avoid it.

When you write C, you are in the bad luck shitter. You have no choice. You will write memory—unsafe code and hope you don’t fuck it up. You will hope that a refactor of your code doesn’t fuck it up.

Ah, C, so simple! You, only you, are responsible for handling memory safely. Don’t fuck it up, cadet. (Don’t leave it all to computers like a C++ developer would.)

Put C in the bin, where it belongs.

survivedurcode commented on In SSRI withdrawal, brain zaps go from overlooked symptom to center stage (2023)   psychiatrist.com/news/bra... · Posted by u/RicoElectrico
mmsc · a year ago
>Physicians were initially unaware or dismissive of brain zaps due to limited information and a focus on downplaying the addictive nature of antidepressants.

I don't know why. It's a pretty well-known effect of fucking with your serotonin levels. Someone I know took about 4g of MDMA over a 4-day period and what followed was about 2 weeks of these "brain zaps", sleep paralysis with demons in the room (feeling like you are laying in bed with a demon coming towards you but you physically cannot move). This stuff has been known about for decades but unable to be researched due to the US' drug laws. Those brain zaps are apparently like just doing whatever you're doing, when BAM, it feels like an electric shock has gone through your head into the back of your eyes.

survivedurcode · a year ago
I think there’s more to it than just messing with serotonin.

There’s something about Sertraline (Zoloft) that seems to make it quite reliable at causing brain zaps. 3 people I’ve known who stopped Sertraline all experienced brain zaps. 1 of those people also talked about stopping Prozac (cold turkey) and Lexapro (4wk taper) and did not have the zaps, but a 4-month taper of Sertraline was not enough to avoid them.

In fact in the article they recommend switching to Prozac and then tapering that, as a way to avoid the zaps.

survivedurcode commented on JVM statistics cause garbage collection pauses (2015)   evanjones.ca/jvm-mmap-pau... · Posted by u/tosh
lbalazscs · a year ago
In 2015 there was no ZGC. Today ZGC (an optional garbage collector optimized for latency) guarantees that there will be no GC pauses longer than a millisecond.
survivedurcode · a year ago
I would check your answer. These are pauses due to time spent writing to diagnostic outputs. These are not traditional collection pauses. This affects both jstat as well as writes of GC logs. (I.e. GC log writes will block the app just the same way)
survivedurcode commented on JVM statistics cause garbage collection pauses (2015)   evanjones.ca/jvm-mmap-pau... · Posted by u/tosh
sltkr · a year ago
> The pauses occur even [..] if you call mlock

I wonder how this is even possible. The only scenario I can think of involves a page fault on the page table itself (i.e., the page is locked into memory, but a page fault occurs during virtual-to-physical address translation). Does anyone know the real reason?

survivedurcode · a year ago
Probably because pages mapped, even if they are locked into memory are not allowed to stay dirty forever. Does this help? https://stackoverflow.com/a/11024388 (In contrast, if you mlocked but never wrote to the pages, you probably would not encounter read pauses)
survivedurcode commented on Interning in Go   medium.com/google-cloud/i... · Posted by u/todsacerdoti
survivedurcode · a year ago
Beware the trade-offs of interning affecting GC behavior. Now you can’t have a stack-allocation optimization, for example.
s

u/survivedurcode

KarmaCake day15August 31, 2024View Original