Channel 9 - Discussions by Bugslayer

Coffeehouse - Windows Media Photo to replace JPEG?

Bugslayer — Fri, 26 May 2006 19:58:06 GMT

W3bbo wrote:

Where does it say that?

From the spec...

· High performance, embedded system friendly compression

Small memory footprint

Simple, integer-only operations (no divides)

· Industry-leading compression quality

· Lossless or lossy compression using the same algorithm

· Support a very wide range of pixel formats:

Monochrome, RGB, CMYK or n-Channel image representation

8 or 16-bit unsigned integer

16 or 32-bit signed integer

16 or 32-bit floating point

Several packed bit formats

1bpc monochrome

5 or 10bpc RGB

RGBE Radiance

· Simple, extensible TIFF-like container structure

· Planar or interleaved alpha channel

· Embedded ICC Profile

· EXIF and XMP metadata

Coffeehouse - Windows Media Photo to replace JPEG?

Bugslayer — Fri, 26 May 2006 19:04:07 GMT

C'mon... Read the spec then speak.

The new format supports lossless images. (RAW support)
The new format supports multiple images per file (thumbnail embeded, multiple images+metadata opens up some new use cases).
The codec can process both lossless and compress images (saves space on your cellphone).
The format supports arbitrary and standardized metadata. (in XML, if I recall correctly).
Image encoding design to allow for inexpesive transcode to other format.

There are business reasons to introduce the new format.

Tech Off - Security concerns over popular forum management software / IE7 needs to step up

Bugslayer — Thu, 25 May 2006 19:33:37 GMT

SlackmasterK wrote:

You paid $495 for a T-shirt?

http://channel9.msdn.com/ShowPost.aspx?PostID=197242#197242

Tech Off - Security concerns over popular forum management software / IE7 needs to step up

Bugslayer — Thu, 25 May 2006 19:31:05 GMT

W3bbo wrote:

Uhm... you're scaremongering over a forum software that doesn't use HTTPS when collecting registrations or logging in?

The forums in question are support forums for a for-fee service. The risk of having an account compromised can result in charges being billed to my account.

W3bbo wrote:

The risk of packet intercepts is very remote and nothing to worry about.

Hmmm.... don't know quite what to say. Perhaps my vantage point has shown me that man-in-the-middle exploits occurs more frequently than you will accept. Promiscuous mode snooping (cable mode, rogue employee) is a primary threat to any clear-text data.

W3bbo wrote:

Uhm... are you sure you know how HTTP even works?

Yes.

Tech Off - Security concerns over popular forum management software / IE7 needs to step up

Bugslayer — Thu, 25 May 2006 18:23:43 GMT

I have noticed a number of installations of a particular forum management software product that does not secure the user registration or login.

User beware! NEVER, EVER, EVER reuse an important user name or password.

Discussion

Registration

This is the HTML of the registration page that submits the user credentials to the server.

Truncated for brevity

Login

On the front page of the forum there are two methods to log in.

The Welcome Guest banner
The Welcome back banner

#1 Clicking ‘Log In’ brings up an insecure form...

Truncated for brevity

#2 This is the HTML of the banner login (next to the ‘Go’ button):

form>

Security

Notice that in all three cases the action= of the form is to post to an http:// protocol URL. This causes the contents of the input controls to be sent as clear text across the web to the runehq.net server-side validation process.

This must be changed to prevent man-in-the-middle attacks, credential snooping, and runehq falling prey to an impersonation attack.

This software needs to post user credentials across an https:// protocol (so the data is contained in an SSL encrypted stream).

While it is possible to change the action= of the form to point to an https:// URL to secure the posting, there are security risks associated with including a secure form on an non-secured (http://) page.

To be completely secure, a login web page must be delivered to the browser over an https:// protocol.

Here’s why… A man-in-the-middle attack can inject code onto a web page that changes the page via a JavaScript injection. These attacks typically change the onsubmit= to point to a piece of JavaScript code that can post the credentials to a rogue site and then to the intended site. Delivering the page via SSL prevents this injection.

Because the SSL overhead is significant, login web pages should be as light-weight as possible (no sense encryption huge bitmaps, etc) to keep the performance impact to a minimum.

I don't want to rehash the argument, but I would give my $495 MS Tshirt if IE7 would provide visual cues when a form is secure/insecure (I propose a mod to the chrome or submit button). Yes, yes, it should be conservative and never have a false-positive (indicating a form is secure when it is not).

Tech Off - Vista Beta 2 with Virtual PC 2004SP1 -- Argh! -- can't install

Bugslayer — Wed, 24 May 2006 02:52:58 GMT

Nero ImageDrive solved the problem....

I will notify H&H (makers of VCD7)...

Tech Off - Vista Beta 2 with Virtual PC 2004SP1 -- Argh! -- can't install

Bugslayer — Wed, 24 May 2006 00:15:42 GMT

When installing B2 on my ThinkPad T42 using Virtual CD 7 to mount the ISO, following all known advice about 'diskpart'/create partition ... I get to click OK to my locale choices, then get to paste my beta product key in and ZONK! I get a dialog that is entitled 'Windows Setup' with a message stating:

"Setup failed to open the Windows image file."

looking into the logs in the Panther directory created by setup:

setup correctly locates the .WIM file on the mounted ISO image, but fails complaining that it is corrupt. GLE=0x570

"IBS SelectImages: Failed to retrieve the WIM file's XML info."

FYI: Virtual CD 7.1.0.2, and Virtual PC 2004 (5.3.582.27)...

This install.wim file is >3GB in size... I am going to purchase Nero ImageDrive to see if that can install B2 correctly. If so, looks like I have a bug in VCD 7.

Hope this helps anyone else having a similar problem.

What other ISO mounting tools are being used to mount the ISO image?

Tech Off - Memcpy: the fast way! Should be included in the Windows kernel

Bugslayer — Mon, 22 May 2006 16:14:23 GMT

Cairo wrote:

I friend of mine wrote... conditionally used MMX, SSE, or SSE2.

Best approach is be to have the run-time startup code determine the CPU capability and select the correct routine at startup (one time). Write the address to the preferred routine(s) (yes there are other routines benefiting from memory move/init optimizations).

Regarding MMX, SSE, SSE2... these would only be used if the CPU supported them. Also, the FPU can be used to move/init data faster as well.

Definitely should be in the managed runtimes (Jxxx, and .Net CLR/CLI)

During a research project i did on this topic, the judicious use of PREFETCH can accelerate the memory optimizations.

Coffeehouse - IE 7 runs on .Net?

Bugslayer — Mon, 22 May 2006 16:04:33 GMT

Manip wrote:

Uhh I thought IE 7 was unmanaged? Why is it loading the .Net framework each time?

Back to the question originally posted...

Did we figure out what is loading .Net Framework in IE7b2?

Is it an add-on?

Or is it perhaps a windows-hook?

Coffeehouse - Large, National, Well Known Bank Cannot Afford SSL Certificates?

Bugslayer — Wed, 10 May 2006 21:08:42 GMT

Since IE uses the protocol designation (https://) in the address line to drive the display of the lock symbol in the status bar, I have longed for IE 7 to display the status bar if the cursor is in a text box that will post securely. Furthermore, why not provide thestatus bar lock and a balloon on hovering over a form region (or the submit button for a form) that will post securely. Why not provide a visual overlay on submit buttons indicating security? The balloon could contain details from the cert used to secure the post. IE should provide a definitive indicator to the user for secure posts -- indicating the target domain for the post and the domain of the cert (in case they don't match)

end of brainstorm... please, just fix it for everyone!

Coffeehouse - Large, National, Well Known Bank Cannot Afford SSL Certificates?

Bugslayer — Wed, 10 May 2006 18:34:35 GMT

What, specifically, needs to be secured on this page that is not secured?

It is common practice to redirect an https:// request to http:// if the page does not contain sensitive data that is not secured by other means. (This saves encryption of the non-sensitive data and leaves the CPU for grander tasks.)

I will assume that you are referring to the UserID and password on this page. They are both secured with an explicit https:// URL in the action of the form, as in:

Tech Off - When will .Net Framework 1.1 and .Net Compact Framework 1.1 reach support end-of-life?`

Bugslayer — Thu, 15 Dec 2005 21:19:56 GMT

Customers asking to upgrade a product from 1.1 to 2.0 raise this question. I cannot find any dates on microsoft.com. Perhaps one of you chaps know.

Coffeehouse - Will "Client Protection" compete with McAfee and Symantec

Bugslayer — Fri, 07 Oct 2005 18:31:21 GMT

I think that you are right that it will represent competition.

Let's be clear... Microsoft is offering consumer and enterprise solutions.

The consumer product is OneCare.

The enterprise product includes workstation and server components.

The workstation component is called "Client Protection".

The feature sets are being incorrectly merged together. OneCare is the one-stop-shop (AV, malware, etc, tools, etc).

Client protection will compete with the managed AV solutions from the aforementioned companies (Symantec's NAV Corp, Network Associates' Mcafee enterprise)

To show how muddled things are at redmond, check out the URL for the enterprise webpages:

http://www.microsoft.com/athome/security/spyware/software/enterprise/default.mspx

Hmm... I'll bet this URL changes soon

Tech Off - If the 286 didn't have floating point capability...

Bugslayer — Thu, 06 Oct 2005 18:19:20 GMT

rhm wrote:

What happened is the C library included an "FPU emulator".

Actually, the compiler supported a command-line switch to either: generate calls a floating point implemenation of IEEE fp format or emit fp instructions in-line. When a fp instruction was executed on a system without a phyical FPU, the CPU would generate an invalid instruction exception that was caught by an OS FP emulator.

In this way, an application would run on all systems regardless of the presence of an x87 (or IDT or Weitek FPU). And if you added an x87 the acceleration was pretty good. (Not that x87 acceleration was great in those days.)

Tech Off - postioning a form relative to notifyicon

Bugslayer — Tue, 04 Oct 2005 16:00:19 GMT

this is very hard to do...

you have to capture your icon's position... that's a given.

you need to determine which edge of the screen the taskbar is docked to.

You need to handle the auto-hide case.

you need to handle the message broadcast by explorer.exe when it restarts (after a crash or explorer is term'ed and restarted.) because your icon will move.

You can see that many ISVs opt to just slide in the form from an edge (think FW notifications and AV products). If your tray icon is also on the form, the user gets the association.

[Note: I made an app that allowed you to drag and drop tray icons into subrtrays to eliminate clutter and annoying "hyperactive" icons (that blink incessantly). the subtrays would reveal themselves when you hovered over their "dot" on the taskbar.]

Coffeehouse - AMD Processors VS. Intel Processors

Bugslayer — Mon, 19 Sep 2005 18:22:28 GMT

Let's face it... the benchmark trend is changing...

Quoting FPS above 80 is meaningless. Why not spend the CPU resource making the game smoother, making the physics more realistic, making the audio spatial, make the game less effected by network lag, etc. Gauging a platform solely on it's ability to put bits on the display is short-sighted. (The general availability and affordability of dual-core and multi-core processors is here from both AMD and Intel (depending on your wallet... you may think "coming soon"). Software developers will design their systems to take advantage of multiple threads and compiler technology will make it simpler and less error prone.)

We need to think in terms of "What kind of experience does one platform provide versus another?" This the answer we want from benchmarks. We ain't there yet!

I suggest you think about what you are going to do with the system now and get a general idea of it's useful life. These will guide you to your choice. Decide what features/experience is important to you: want to play your games at 120+ FPS (40 of which you can't see), want 64 bit software support, want to have a system that schedules 4 threads simultaneously, etc.

Don't forget to think about the actual bus bandwidth as well. Having a gazillion MBs of data moving across a slower pipe can degrade the overall perf of your platform.

Don't forget your disk subsystem as well. RAID anyone...

What kind of customers will you be developing software for? The answer may persuade your decision as well.

Coffeehouse - Dvorak's "MS should confuse the market more" article

Bugslayer — Wed, 14 Sep 2005 18:18:29 GMT

1) Dvorak's article is the internet's version of dead air. In his first paragraph he rehashes old news and then procedes to banter on and on to amuse himself (when I write this sort of dribble, I have the sense to post it where it belongs... the recycle bin).

2) What will keep microsoft from allowing upgrades to the version that is initially purchased to the next tier? Nothing... Just visit the Digital Locker and buy an upgrade.

3) The proposal of having Microsoft offer an custom version of the OS... Makes my head explode! Come on... Windows is already hard enough to test my software on. Infinite permutations of this feature and that feature. Does my software work when X is installed? What about X and Z but not Y??? Having 7 tiers is expensive enough, but custom base versions would kill the platform. Can I assume that IE is on the machine or not? Did this user buy system restore or not? Microsoft would have to charge ISVs for redists?!? Or better yet, my installer can tell them that they have to $$$buy$$$ feature J, K and L before they install my product. I don't think this is a great user experience. [C]

Next, you will want me to have my customers recompile the kernel to get my software to run on their system. [6]

I would have to ship my software in a huge box just to print all of the caveats on it.

From a testing point of view: Tiers are good. Seven, I'll live with. Custom baselines are evil.

Coffeehouse - Is the MSDN Subscription website down?

Bugslayer — Tue, 13 Sep 2005 16:49:57 GMT

Same result for me (different Reference ID of course)

Tech Off - C++ *.dll survive post-crash?

Bugslayer — Fri, 09 Sep 2005 16:29:11 GMT

The .net mechanism is:

ThreadEventExceptionHandler

This event allows your Windows Forms application to handle otherwise unhandled exceptions. Attach your event handlers to the ThreadException event to deal with these exceptions, as these exceptions will leave your application in an unknown state. Where possible, exceptions should be handled by a structured exception handling block.

Although the docs states "Windows Forms applications", I am assuming that any .Net application will do as this is in the Application namespace.

Tech Off - C++ *.dll survive post-crash?

Bugslayer — Fri, 09 Sep 2005 16:22:33 GMT

Opps... sorry for SCREAMING.

Tech Off - C++ *.dll survive post-crash?

Bugslayer — Fri, 09 Sep 2005 16:22:00 GMT

Actually, in unmanaged cocde you can set an UnhandledExceptionFilter to catch all unhandled exceptions... This is the mechanisam that many applications use to capture the state of the process to a file (like Bugtoaster, Dr Watson, dwwin.exe, dw10.exe, dw15.exe, dw20.exe). The API to set the filter is called:

SetUnhandledExceptionFilter

The SetUnhandledExceptionFilter function enables an application to supersede the top-level exception handler of each thread and process.

I'll see if there is some mechanism in .Net....

Coffeehouse - Oooo sexy

Bugslayer — Wed, 07 Sep 2005 20:31:10 GMT

Now, if only, there was an SD slot in the top!

Coffeehouse - Do most compilers go directly to binary, or assembly?

Bugslayer — Wed, 07 Sep 2005 18:20:38 GMT

bitmask wrote:

I'd venture to say "most" compilers go directly to binary, although it really depends on the language and environment.

While translating source code to assembler source code is common in many texts, most modern compilers will translate into an intermediate form (object code) first and then submitting this to an optimizing compiler back-end. This allows for a back-end optimizer to be used to perform the final machine-executable code for many source languages. (Pascal, Basic, Fortran, etc). This also facilitates the reuse of the source code translator's object code to be used by multiple back-end code generators. (the same source code translator can be paired with an x86, 386, P4, optimizing or non-optimizing back-ends).

Tech Off - C++ *.dll survive post-crash?

Bugslayer — Mon, 08 Aug 2005 22:00:03 GMT

Not to nit-pick, but the prior post about the stack, etc all belonging to the same process...

The statement as it stands is indeed correct... threads have stacks that are owned by a process...

However, it is possible to have a thread terminate (along with the deallocation of its stack) and for the process to continue...

Tech Off - C++ *.dll survive post-crash?

Bugslayer — Mon, 08 Aug 2005 21:57:36 GMT

An exception occurs on a specific thread. If the thread itself does not handle the exception, it is propogated to the OS. If I understand the original post, you have a program (*.exe) that is loading extensions (*.dll). An exception occurs on one of the threads in the process. If that thread does not handle the exception, the default OS response will take place (crash report, Dr. Watson, etc) and the OS will terminate the process (ALL of its threads). You should catch the exception and record it in a meaningful way to correct this behaviour. You could also terminate that thread (assuming that the thread was created to support one extension) allowing the other extensions to continue (depending on the recovery of the exception of course).

Under the CLR (.net) you could have your extensions run in separate app domains... but I get the idea that this in not a .net application.