Recent Posts

8451

General Software Discussion / Re: Lizamoon Attack Targets SQL Injection Vulnerability

« Last post by wraith808 on April 03, 2011, 02:28 PM »

I'd agree.  Getting down from my high horse, I can see how someone who's doing it for fun might not even know about SQL injection, let alone how to avoid it, if they didn't just happen to be in the know because of a bad situation.  I do wonder why it isn't mentioned more.  I've been asked about it several times in interviews, but never have I actually read anything about it that I can remember.  Strange.

(And it is C#- and I fixed a bug in the code)

8452

Found Deals and Discounts / Re: 24-Hours Giveaway - DiskBoss File & Disk Manager

« Last post by wraith808 on April 03, 2011, 02:24 PM »

Wow!  Thanks!  I was just asking to know... not expecting you to do anything about it, as the offer is generous enough as it is!  Thanks!

8453

Developer's Corner / Re: Coding Standards

« Last post by wraith808 on April 03, 2011, 09:11 AM »

i can't say i love the coding standard you have to use either -- too hard to distinguish.

i've always liked the idea of using lowercase for internal variables, mixed case for exposed stuff.

-mouser (April 03, 2011, 09:04 AM)

Even in that case, don't you have a hard time distinguishing?  And not using any caps in the internal stuff would *really* screw me up... I use CodeRush, and it allows you to navigate the camel caps- saves a lot of time!

And I like the (_)   a lot better than m_, etc at least... 

8454

Official Announcements / Re: 2011 Fundraiser Giveaway Extravaganza - WINNERS POSTED

« Last post by wraith808 on April 03, 2011, 09:08 AM »

Congrats to all the winners!  (Especially Curt- I'll take that off your hands if you decide you don't want it  )

8455

General Software Discussion / Re: What the hell is OpenCandy?

« Last post by wraith808 on April 03, 2011, 09:05 AM »

@wraith808 - just out of curiosity, are you personally considering using OC?

If you don't mind somebody who goes "back *that* far" asking?

-40hz (April 03, 2011, 08:49 AM)

I hadn't been.  I hadn't even considered it until I started following Renegade's experiment.  And even now, I doubt I will- I used to write installers for a living, so I try to stay as far away from that as possible, if you hadn't noticed from my software.    It's just unzip and run...

(And I don't remember my first mainframe... but I think you might have me beat by a few years.  Not many though!   Though fully qualifying it, I was pretty precocious when it came to computers, and my father being a professor helped to give me unusual access to hardware.)

8456

Developer's Corner / Coding Standards

« Last post by wraith808 on April 03, 2011, 08:59 AM »

So... we've been given new coding standards where I work.  I'm ok with that.  But one of the conventions is driving me CRAZY!

Normally, I'd write something like...

Code: C# [Select]

1. private string _propertyX = string.Empty;
2. public string PropertyX
3. {
4.   get { return this._propertyX; }
5.   set { this._propertyX = value; }
6. }

(Yes, I know about auto-implemented properties; this is just an example. )

But under the new coding standards, it would look like this.

Code: C# [Select]

1. private string propertyX = string.Empty;
2. public string PropertyX
3. {
4.   get { return this.propertyX; }
5.   set { this.propertyX = value; }
6. }

I have spent *so* much time debugging typing errors now... the _ clearly separated my property store from my property name.  But this... AIEEEEEE!

I just had to vent... 

8457

General Software Discussion / Re: Lizamoon Attack Targets SQL Injection Vulnerability

« Last post by wraith808 on April 03, 2011, 08:54 AM »

There are abstraction layers that you can use to take care of things for you. There really is not excuse. Nobody should ever be writing SQL statements dynamically in a production system, and especially in a front-facing production system.

-Renegade (April 03, 2011, 02:00 AM)

This.  That kind of stuff should make heads roll...  and there are ways to check for this that don't involve regular expressions nor abstraction layers, i.e.

Code: C# [Select]

1. private static string[] SQLKeywords = new string[]
2.       {
3.             ";", "--", "EXECUTE ", "EXEC(", "SELECT ", "INSERT ", "UPDATE ", "DELETE ", "CREATE ",
4.             "TRUNCATE ", "DROP ", "ALTER TABLE ", "TABLE ", "DATABASE ", "WHERE ", "ORDER BY ", "GROUP BY ",
5.             "DECLARE ", "CAST(", "CONVERT(", "VARCHAR(", "NVARCHAR("
6.       };
7.  
8. ...
9.     protected void Application_BeginRequest(Object sender, EventArgs e)
10.     {
11.         ....
12.  
13.         queryString = Server.UrlDecode(queryString).ToUpper();
14.         foreach (string keyword in SQLKeywords)
15.         {
16.             if (queryString.IndexOf(keyword) != (-1))
17.             {
18.                 errorMessage = String.Format("Unexpected T-SQL keyword ('{0}') has been detected ({1})", keyword, queryString);
19.                 throw new Exception(errorMessage);
20.             }
21.         }
22.     }

Putting that kind of code in the global.asax page would nip that in the bud.  And that's just a simplistic example off of the top of my head.

8458

Found Deals and Discounts / Re: 24-Hours Giveaway - DiskBoss File & Disk Manager

« Last post by wraith808 on April 03, 2011, 08:44 AM »

Thanks for your generosity!  One question- I'm in the midst of making a new computer and am going to be migrating my HDD contents to it; I take that just because I registered doesn't mean that will work on that computer if I don't get it installed before the 24 hours?  Just making sure.

Thanks again!

8459

General Software Discussion / Re: What the hell is OpenCandy?

« Last post by wraith808 on April 03, 2011, 08:26 AM »

^ So... I take it adobe flash is spyware?  How about iTunes?  Or Java?  I could keep naming software- there's quite a few pieces of software that do the same in a benign way, then after the fact inform you that they did and would you like to install this update or that update.  Microsoft used to do it with Windows update.  Websites do it without ever telling you.

-wraith808 (April 02, 2011, 11:28 PM)

Bingo!

-app103 (April 02, 2011, 11:45 PM)

Not quite.  By agreeing to the installer, you're agreeing to the EULA.  So if you agree to the EULA, then you've already given your 'informed consent' whether you read the EULA or not.

So... I use other DLLs from third-parties in my software sometimes; does that mean that I need to inform you so that you can be made aware of exactly what software I'm using?  Where does it end?

Do those 3rd party DLLs collect user information and send it out to someone over the internet? If they do, then you should inform the user and get his permission before any information is collected.

-app103 (April 02, 2011, 11:45 PM)

So even if you agree to the EULA (read it or not) you *still* want another step of approval?  Sort of reminds me of the consumer advocates that say that the credit card agreements are too long because no one reads them, but if they are shortened, use the absence of text to attempt to say that the agreement is invalid.

It's no secret that I have financial problems, no secret that my family is less than a paycheck away from disaster. I am scrambling to make as much money any way I can. I have even thought about using OC...but every time I do, I get sick to my stomach, feeling like I would be a sell-out, selling my users to a bunch of slimeballs, for a few cents each. No matter how tempting it is and how bad I need the money, I just can't bring myself to do it.

-app103 (April 03, 2011, 07:23 AM)

The thing that bothers me is that the situation is no where near as black and white as you make it appear.  Your choice is your choice, and your interpretation is your interpretation.  But you seem IMO closed to anything that might speak against that narrow view, and use pejoratives where they don't belong (adware, spyware, slimeballs).  No one knows their motivations, for good or for bad.  Software does have defects, and sometimes people misjudge backlash against actions, and so end up spinning what happens.  And sometimes people deceive intentionally.  But unlike spyware and adware producers, who just attempt to find ways around any sort of exposure they get to dig deeper into the ground to get away from attention, OC does have an evangelist that does speak to these issues, and apparently gets things done.  Why not trust but verify, instead of putting them into the negative category because of possible growing pains?  And why, if that's a personal decision, attempt to inflict that on others even in the face of evidence.  Renegade put out a challenge above... but none of this really speaks to that challenge.  If there is such overwhelming evidence, why not prove it?  Especially if this is a black and white issue.

8460

General Software Discussion / Re: What the hell is OpenCandy?

« Last post by wraith808 on April 02, 2011, 11:28 PM »

^ So... I take it adobe flash is spyware?  How about iTunes?  Or Java?  I could keep naming software- there's quite a few pieces of software that do the same in a benign way, then after the fact inform you that they did and would you like to install this update or that update.  Microsoft used to do it with Windows update.  Websites do it without ever telling you.

Yes, but you're far from the only person using OpenCandy, and now that I know what it looks like I realize it's been used in lots of software I've installed recently. I would have liked to know so I could learn more and make a more informed decision. Lack of full disclosure by software authors is my remaining concern.

-JavaJones (April 02, 2011, 03:26 AM)

So... I use other DLLs from third-parties in my software sometimes; does that mean that I need to inform you so that you can be made aware of exactly what software I'm using?  Where does it end?

8461

General Software Discussion / Re: What the hell is OpenCandy?

« Last post by wraith808 on April 01, 2011, 10:20 PM »

I started referring to the act of loading an executable into working memory as an "install" after hearing Marvin Minsky refer to it that way during a lecture in 1977. Back then, we didn't differentiate between the act of "installing" in your sense (i.e. on a drive or other storage media) and loading it into RAM for execution. It was the act of loading and running that constituted the "install."

-40hz (April 01, 2011, 12:15 PM)

If we're going back *that* far, then at that point there wasn't really anything that even resembles installations of today, especially given the change in media and storage technology, so I think that given the change in the English language and technology, to carry over a term from that time to apply to the methodologies of today is a pretty big stretch...

And since we're trotting out our CVs, my view is from the perspective of someone who (like yourself) has programmed and installed software on various OSs for...well, let's just say a bit more than several years, starting with IBM's System/360 on mainframes, and Digital Research's CP/M on personal computers.

-40hz (April 01, 2011, 12:15 PM)

I'd guess a bit more than several years would depend on what the definition of several years is. 

For one thing, installation by any practical definition implies that the software in question can be run again without any need for further installation (leaving out the situation of a software upgrade, since the act of upgrading is changing the delta of the installed software.

That's a new one for me. Bounced it off a couple of system admin cohorts of mine. Both felt your qualification that it "can be run again without any need for further installation" is not a valid criteria because they routinely install and run software utilities (not updates) that execute once and then remove themselves from the system.

-40hz (April 01, 2011, 12:15 PM)

Personally, I wouldn't consider that an installation any more than I would consider copying a file to your computer or executing said file from a usb drive an installation.  /me shrugs 

But I think that with that out of the way, i.e. you've defined what you refer to as installation as anything that runs on your computer, then that seems to erode your position even more (see arguments by renegade and f0dder) 

It seems like there is a lot of getting hung up on terminology here. Which is ironic because one of the most important points made here - by 40hz - is that the meaning of words *is* important and is being potentially subverted here by OC. On that point I have some concern myself. Nonetheless I think whether something is "installed" or not is ultimately tangential to what is at issue here and of actual concern. After all, I'm sure Wraith would not argue that a virus that simply loads itself into memory and formats your hard drive without ever "installing" anything is ok simply because it's not being "installed" (and neither would anyone else I'd wager ). So using "installed" as a measure of trustworthiness, safety, or anything else that is really of concern here is not really useful.

-JavaJones (April 01, 2011, 02:49 PM)

First, installation was brought up by the nay sayers, not me.  It was in their own words that the problem with OC was that it installed without their knowledge.

Second it is the words that are my entire point of this conversation.  OC is *not* adware, nor spyware, nor malware, but it is being categorized as such.  Currently adware, spyware, and malware are all negative terms, and the threat of such labels is enough to force action in one way or another.  But, if you dilute it using it in edge cases, or cases that have *nothing* to do with the terms in question, you begin to erode the power of the term (see rape, domestic abuse, and racism for examples of such).  And that would be a real shame to see happen.

8462

Living Room / Re: The March 2011 6th Anniversary Fundraiser Has Begun! Cheer for Victory Thread

« Last post by wraith808 on April 01, 2011, 10:26 AM »

I guess we have to overcome those shortcomings that lotusrootstarch mentioned. Obviously people dislike DoCo ;-)

Good job, DoCo team!

-Josh (April 01, 2011, 08:53 AM)

As contentious as lotusrootstarch might be in arguing his points, I'd caution against making this a 'referendum' to continue with no changes; I do think that there is a need to continue to evolve.  I just don't believe in change for the sake of change, but change directed by mouser's idea for the site, and the members of the site.

... I hope that made sense. 

8463

General Software Discussion / Re: What the hell is OpenCandy?

« Last post by wraith808 on April 01, 2011, 07:40 AM »

Yes, indeed it is a functional difference.  Several things run on your machine without being installed

-wraith808 (March 31, 2011, 08:55 PM)

Just a minor niggle...

I think you might have missed what I was trying to say there.

Based on what I learned from my professors, the fact that a piece of code is capable of being run is proof positive an installation occurred. There is absolutely no "functional difference" between installing to RAM or HD, because in either case it accomplishes the exact same function - getting a piece of binary code into a place where it can be executed by the target system.

To paraphrase so there's no confusion: If it's runnable - it's been installed.

-40hz (March 31, 2011, 11:39 PM)

You have a very ... unorthodox view of being installed. 

The act of installation requires some very discreet actions that would seem to put lie to your explanation, and this is coming from someone who did installers for several years many moons ago on many varied OSes.  For one thing, installation by any practical definition implies that the software in question can be run again without any need for further installation (leaving out the situation of a software upgrade, since the act of upgrading is changing the delta of the installed software.

8464

General Software Discussion / Re: What the hell is OpenCandy?

« Last post by wraith808 on March 31, 2011, 10:59 PM »

But the dll isn't *left* on your machine.  It is to facilitate the installation.  That's the same as saying that NSIS is installed on your machine just because certain supporting dlls have to be extracted to be loaded into memory.  That is *not* installation.  It assists in installation of the requested software.

-wraith808 (March 31, 2011, 10:17 PM)

But NSIS is open source and you can obtain the code for it and whatever it needs to use to assist installing an application.

OpenCandy...no.

I have decided to contact the FSF to see what they have to say about the matter. I'll let you know when I receive a reply.

-app103 (March 31, 2011, 10:43 PM)

NSIS is... but what if someone decides to use InstallShield.  Do you have a problem with that also?  Or Wise.  Or any of the other non open source software options for installers?  Or if someone uses NSIS with a custom extension that isn't OSS?  You can write extensions, and they don't automatically become OSS...

That was my point about OC being held to a different standard; you can include all of the custom code you want to in an installer; you're already giving a certain amount of leeway to someone when you run an installer.  To single out this avenue, when you can do the exact same thing and there be no problems otherwise is the part that seems disingenuous.

It seems to me a good solution for authors releasing open source material is to always provide the option of a "portable" non-installer download.  Whether the installer is open source or not, just as a matter of convenience.

-mouser (March 31, 2011, 10:48 PM)

Sometimes that's not an option because of requirements of the application.  This is one of the (many) reasons that I never release anything open source, nor do I use OSS when developing- sometimes people get pedantic about the licensing, even if you're releasing the software for free...

And to get a bit pedantic about this myself () NSIS is OSS.  The scripts that I create to use with NSIS are not.  I would think that plugins created are in the same way not bound by the license, especially as NSIS is licensed under the zlib/libpng license.

8465

General Software Discussion / Re: What the hell is OpenCandy?

« Last post by wraith808 on March 31, 2011, 10:17 PM »

But it doesn't *install* the dll.

-wraith808 (March 31, 2011, 08:55 PM)

What is the purpose of an installer? I thought the purpose was to install software. And software consists of many types of files, not just .exe executables.

If one of my applications comes with xml and wav files, I am not going to argue that they are not "installed" with my application...they are.

The big issue with the OC .dll being installed along with open source software is that it is compiled code in which the source is not available.

-app103 (March 31, 2011, 09:20 PM)

But the dll isn't *left* on your machine.  It is to facilitate the installation.  That's the same as saying that NSIS is installed on your machine just because certain supporting dlls have to be extracted to be loaded into memory.  That is *not* installation.  It assists in installation of the requested software.

8466

General Software Discussion / Re: What the hell is OpenCandy?

« Last post by wraith808 on March 31, 2011, 08:55 PM »

Up until now, there has been pretty much universal agreement that anything which gets installed on your PC without giving notice and asking your permission is unacceptable.

...

And I think the reason for that is very simple: most people wouldn't install OC if they knew about it.

-40hz (March 31, 2011, 06:25 PM)

But that's the thing -- It doesn't get installed! It runs, but it isn't installed.


When most people go to install software, they aren't agreeing to a lot of things, but things are genuinely changed on their system that they have NOT asked for. This is the normal way of doing things and nobody would call it malicious. For example, an installer adds registry keys and puts a DLL in the system32 folder, creates a ProgramData entry, another local/roaming directory structure, checks if certain other software is installed, if not installs it or upgrades it, etc. etc. That's normal. But OpenCandy isn't doing all that stuff. It runs then it's done.

-Renegade (March 31, 2011, 06:36 PM)

This! If it were installing anything, I'd totally agree.  But it's not!

They are also peddling their stuff to open source developers, to include a closed source .dll on machines that install the open source software. When I install open source software, I expect to be able to have access to the source, all of it, for everything it installs on my machine. If the source for the OC dll is not included, it has no business being put on my machine during the install of a piece of open source software.

-app103 (March 31, 2011, 07:39 PM)

But it doesn't *install* the dll... when you get an installer for OSS software, is it required to give you the source to the installer?  I don't think so, though I could be wrong?  And if it's not, there's no reason to have to give the source to the OC dll.

But that's the thing -- It doesn't get installed! It runs, but it isn't installed.

-Renegade (March 31, 2011, 06:36 PM)

Sorry. I'm a bit color blind in that end of the spectrum. 

Regardless of whether it copies itself onto the hard drive, or loads itself into RAM before it runs, it's still installed on your system. The mechanism employed for the IPL* (initial program load) is a technical detail, not a functional difference.

-40hz (March 31, 2011, 08:50 PM)

Yes, indeed it is a functional difference.  Several things run on your machine without being installed - classic asp and javascript are two good examples- they run on the client in the browser.  Does that mean that every bit of JS or VBscript has to be vetted?

8467

Living Room / Re: A Parrot Riding a Car's Windshield Wipers

« Last post by wraith808 on March 31, 2011, 08:48 PM »

^ This!  WIN!

8468

Living Room / Re: A Parrot Riding a Car's Windshield Wipers

« Last post by wraith808 on March 31, 2011, 06:30 PM »

i can't disagree with anything nudone says -- which is why i started off my comment saying that i really don't know if the parrot was scared.  hey he's a bird it's possible he loved it.  but it's hard to know.

my comment was focused on the fact that the owner doesn't seem particularly interested in whether the bird is terrified or not, which is the red flag for me.

if he was sitting there saying: "i love my bird and i'm convinced he loves the ride" -- i wouldn't have a complaint.

-mouser (March 31, 2011, 03:22 AM)

He does say that since the birds wings have been clipped and won't be able to feel the wind like it should if it was able to fly.  He also mentions the parrot's happiness a few times... so I think he does sort of address it...

8469

Living Room / Re: The March 2011 6th Anniversary Fundraiser Has Begun! Cheer for Victory Thread

« Last post by wraith808 on March 31, 2011, 06:22 PM »

@ $14,111 now,
I was thinking a good number to finish up on - but forgot it's got another 6 hours or so to go 'over there' before the day is done

-tomos (March 31, 2011, 04:44 PM)

I still haven't donated yet... waiting 'til the end like I always do on fundraisers

(In at 11:22PM local time... and we're now well over 14k!)

8470

General Software Discussion / Re: What the hell is OpenCandy?

« Last post by wraith808 on March 31, 2011, 03:53 PM »

So, The torches and pitchfork wielding villagers are incensed by the frankin-monsters insistence on playing possum?

-Stoic Joker (March 31, 2011, 03:47 PM)

 That's one way to put it...

Just a note- I really despise adware, spyware, and those that distribute it.  But like a lot of other pejoratives, I think it's very likely that the effectiveness of labeling something as malware will be diluted if it's applied indiscriminately.

8471

General Software Discussion / Re: What the hell is OpenCandy?

« Last post by wraith808 on March 31, 2011, 03:29 PM »

I've even seen during the worst of their growing pains that severe detractors have said that the level of knowledge of what you've done seems to be absent.

-wraith808 (March 31, 2011, 01:54 PM)

You completely lost me on that one. Could you maybe rephrase it? 

-40hz (March 31, 2011, 03:13 PM)

If it was tracking your actions, then subsequent actions would be based on that information.  But several detractors have admitted that it doesn't seem to utilize or even *have* that knowledge, just based on observation.  They might actually have it and not be using it- but that wouldn't seem to make sense either.

8472

General Software Discussion / Re: What the hell is OpenCandy?

« Last post by wraith808 on March 31, 2011, 01:54 PM »

So opt out of *what* is my question that still remains unanswered?

-wraith808 (March 31, 2011, 12:21 PM)

3rd party tracking.

-app103 (March 31, 2011, 01:29 PM)

*You* aren't being tracked though.  From what I've seen (and what Renegade has shown from his experiences) it's no more intrusive than a counter on a page.  I've even seen during the worst of their growing pains that severe detractors have said that the level of knowledge of what you've done seems to be absent.

8473

General Software Discussion / Re: What the hell is OpenCandy?

« Last post by wraith808 on March 31, 2011, 12:21 PM »

I said more then I planned to in that post...so maybe I didn't communicate well.

Opt out of *what*?

Exactly, you can't, OC is included.

-cmpm (March 31, 2011, 11:47 AM)

But what do you mean?  Opt out of using the installer extensions?  So perhaps you opt out of using Installshield because you don't like them.  Or wise.  Or INNO or NSIS?  It's an extension that's not installed on your machine.  You can code your own extension that sends the *exact* same information.

So opt out of *what* is my question that still remains unanswered?

8474

General Software Discussion / Re: What the hell is OpenCandy?

« Last post by wraith808 on March 31, 2011, 11:39 AM »

The difference is that there is no opt out of OC when installing.

-cmpm (March 31, 2011, 11:26 AM)

Opt out of *what*?  OpenCandy is more akin to a service than an application.  It doesn't install anything that's not required to have a clean uninstall, nor does it do anything other than during installation if you don't opt-in.  If you go to a site on the internet and it displays a page before you can access the site that has an ad that you choose not to install and even choose not to allow to show by the use of adblockers, it can *still* get information akin to the stated OC information, i.e. that you came to the page, whether you click through to an ad, and whether you click through to the main site.  Is anyone asking pages that do this to disclose that they're keeping track of who lands on the page?  And this is not a hypothetical situation; I know of a few popular sites that I visit that do this exact same thing.

8475

Living Room / Re: The "Cloud" Goes Up in Smoke

« Last post by wraith808 on March 31, 2011, 11:32 AM »

This story will become increasingly familiar as the new internet boomlets burst. First and last, it's about making money, not about providing service. The quaint idea of working capital is never given a thought.

-zridling (March 31, 2011, 10:28 AM)

And this is why I can't embrace storage in the cloud. It's not reliable.

-app103 (March 31, 2011, 10:34 AM)

It's just like everything else though in regards to reliability; you get what you pay for.  I have storage in the cloud on Amazon's servers and my own, and I pay for the storage, so I demand a higher level of service and reliability, and I get it.  What I'm more wary of is quote-unquote free services.