Lazy Developers

So in an effort to get more squash partners, I took my wife yesterday to play squash. She loves the game! BONUS! Of course, just like we all were, the first few times coordination is an issue :) She'll get better. I have been TRYING to get a regular game going with Wim, but we seem to always miss each other. When we do get to play though, its quite fun. Atleast right now... cuz I am winning ;-) If anyone else would like to play squash in Chilliwack during the lunch hour, please let me know.

Work has been interesting. Been having to update the website and have thus been in the bowels of Photoshop for some time. Hopefully this thing will go live in a week or so to help aid in the sales effort. Its funny to hear such praise from previous customers who are now coming to NetMaster to upgrade. I just love it. We make kewl stuff. Just wish more people knew about it. :(

Today with any luck I will be able to get some more reading done. I am about half way done Writing Secure Code and hope to be done next week some time if I get a chance to get into the book more this weekend. As I said before it is a well written book. As I get into it I find its more and more "Windows-centric", but that has to be accepted as its a Microsoft Press book. Overall, the concepts are great. Always nice to get a refresher in an entertaining way. Learning about some of the serious security flubs at Microsoft really helps to re-emphasize a point on how easy it is to break good security development techniques. Although, I gotta admit I hope they fired one employee for this one:

Every developer in a particular project were told they MUST NOT provide NULL DACL in their work. Everything required a valid ACL associated to it. The release manager wrote a perl script to run through the tree every night and make sure the field would not be NULL. If it was, a bug was reported. So this would NOT be allowed:


SetSecurityDescriptorDacl( &sd, TRUE, NULL, FALSE );


So one developer, (lets call him Mr. Lazy) decided to get around this by doing:


SetSecurityDescriptorDacl( &sd, TRUE, ::malloc( 0xFFFFFFFF ), FALSE );


So, this silly, but clever stunt would try to allocate 4,294,967,295 bytes of memory. None of us have that sort of memory available, and malloc fails.... with a NULL.

It is these kinds of stories that I find entertaining, but show how HUMAN we all are. If you think that type of story is MS specific you are wrong. In the last 5 years I have seen simlar things in code I have worked with. When you KNOW something is wrong, and you even go so far as to COMMENT the fact, you should just go fix the damn thing. Yet we all do it. Human nature I guess. Wim would probably say thats what refactoring is for. *slap* But hey, as a society of developers we ARE getting better. Lets hope so. Would suck to have our anit-matter cars blow up cuz someone tried to malloc 10 gigs of mem to set a null only to find that last upgrade now has 11 gigs available, and we thus flood the memory banks, and crash into Utopia prime. That reminds me... a new Star Trek movie should be out soon. Can't wait.

On that note, I should finish up here so I can go get absorbed in my book. Its quiet here for a few hours yet, so I should really take advantage of that. I think I will put some Botti on the stereo, brew some nice Earl Gray tea and read a book by the fire. Sounds really good. I'm outta here.