Viraptor's dev-log

For those coming from news site -> correct link is http://www.viraptor.info/dm.php5 - not the main site :)

Jeroen Frijters discovered lately a bug in .NET 2.0 on Windows platforms, that allows to execute any code from a “verifiable and partially trusted C# application“. That sucks really. Now every .NET code running from browser can also exploit the system. Ok - security problem - that happens to everybody and we should’ve already learnt to forgive that.

Not this time. Bug was known already, as it was “reported by someone else in August” and “bug was subsequently fixed in September“. Patches only made it to Vista and rest will get patches through Windows Update “sometime in the next few months“. Only thing you can really say is WTF? Two guys independently reported this bug already.

Who knows, how many know about it, but didn’t report it and how many run into it and know they can crash the system with that, but can’t make a real exploit? Once again I think POC should be released now. Seriously - one month was enough to patch it in Vista and 4 months weren’t enough for XP? MS - you don’t release patches when you like it - you release them, when they’re needed. What can change this policy? Someone owning MS developer’s machine with this bug and stealing Vista code? Owning Balmer’s desktop with 0-day and publishing his private mail?

It’s a pity that this exploit would be too valuable in real-world to waste it on “it’s a bad patching cycle” propaganda. Maybe one day…

I was just looking for stuff about Singularity, when I learned some new informations:

1. NEVER, EVER name your project .net, .com, .org or anything like this. Also applies to common words as tea, cup, cat, whatever (actually “whatever” may be a good name). Nobody will be able to find information they want. Anyone who suggested “.NET” name, should now search “.NET operating system” on google -> results entropy goes through the roof.
2. Managed OS? Java’s done it already: JX, JOS, JNode, e-leos, JSYS. I wonder which will survive to be a real system one day? JSYS for some reasons looks like it’s going to be similar to Hurd - nonexistant. e-leos is not professional. Rest is doing “something”. 5 separate projects, trying to build 5 OSes, doing the same things, but with different implementations… strange. (no - it’s not similar to distros in any way, unless they’ll agree on some common interface to kernel)
3. The only really working Managed OS right now is Inferno, which I’d really like to test some day. Limbo language and possibility to run it as guest OS under other systems make is really nice.
4. Through some links, I’ve hit a nice blog JMPinline, which is a real pleasure to read. If you want a good programmer’s blog - go there.
5. And on JMPinline I’ve read something about smartphones and CE .NET. That reminded me once more, how badly I want to own a Linux Phone. Nothing special - just phone + bt / wifi / whatever there is + Linux. Why isn’t there any of those in normal price in my part of the world? Do I really have to go back to Siemens firmware hacking to get one? :) Not, that it wasn’t interesting… but Siemens didn’t want to help anybody and we had to have fun in our own sandbox.
   We’ve already found gfx, sound, card reading, serial interface and many other modules - is it that hard to publish at least a .h file with addresses, Siemens? Even for some old phone!

That’s all for strange links from today.

PS. CommunityServer doesn’t support trackbacks… that’s all for community…

This dev-log is brought to you by letters ‘W’ and ‘P’… as in WordPress accidentally.

It should be written in CakePHP as first planned, but I didn’t have enough motivation to finish embedding FCKeditor / whatever properly, or add all those shiny features that are already present here. Maybe another time… Nevertheless Cake is a great MVC php framework and I really recommend it.

There should be a nice dev-article for a start, but I’ve found some old sendmail logs (Sep-05..now) in /tmp (broken log-rotate script) and decided to have some fun with them (mainly spam rejected by rbls stats). Results to be seen soon.