Harmful Stuff

webshit weekly (2016/12/08)

An annotated digest of the top “Hacker” “News” posts: ngate.com

8cc.vin: Pure Vim script C Compiler (2016/10/20)

This is a Vim script port of 8cc built on ELVM. In other words, this is a complete C compiler written in Vim script.

8cc is a nicely-written small C compiler for x86_64 Linux. It’s C11-aware and self-hosted. ELVM is a Eso Lang Virtual Machine. ELVM customizes 8cc to emit its own intermediate representation, EIR as frontend. ELVM compiles C code into EIR via the frontend. And then translates EIR into various targets (Python, Ruby, C, BrainFxxk, Piet, Befunge, Emacs Lisp, …) in backend. The architecture resembles LLVM. This presentation is a good stuff to know ELVM architecture further (though in Japanese).

ELVM can compile itself into various targets. So I added a new ‘Vim script’ backend and use it to translate C code of 8cc into Vim script.

Now 8cc.vim is written in pure Vim script. 8cc.vim consists of frontend (customized 8cc) and backend (ELC). It can compile C code into Vim script. And of course Vim can evaluate the generated Vim script code.

Note that this is a toy project. 8cc.vim is much much slower. It takes 824 (frontend: 430 + backend: 396) seconds to compile the simplest putchar() program on MacBook Pro Early 2015 (2.7 GHz Intel Core i5). But actually it works!

As VM runs on Vim script, 8cc.vim works on Linux, OS X and (hopefully) Windows.

Read more here.

Related (2016/10/18)

JavaScript 2016

How it feels to learn JavaScript in 2016 (2016/10/18)

JavaScript

You know what. I think we are done here. Actually, I think I’m done. I’m done with the web, I’m done with JavaScript altogether.

Read the full article here.

hello, world (2016/09/12)

if you are confident not hackers are within 100 feet (2016/07/02)

Douglas Crockford (2016/06/25)

Five states of software development (2016/06/22)

emailreg.com (2015/10/29)

OpenBSD (2015/10/20)

CVSROOT:    /cvs
Module name:    src
Changes by: deraadt@cvs.openbsd.org 2015/10/17 18:04:43

Modified files:
    sys/kern       : syscalls.master kern_pledge.c uipc_syscalls.c 
    sys/sys        : pledge.h proc.h socketvar.h 
    sys/netinet    : in_pcb.c 
    sys/netinet6   : in6_pcb.c 

Log message:
Add two new system calls: fbsocket() and fbconnect().  This creates a
SS_FACEBOOK tagged socket which has limited functionality (for example,
you cannot accept on them...)  The libc farmville will switch to using
these, therefore pledge can identify a facebook transaction better.
ok tedu guenther kettenis beck and others

Google (2015/10/19)

What’s harmful about Google?

Anonymous 10/19/15 (Mon) 18:01:02 No. 416982

416422

liking any corporation ever

thinking a structure where key people are constantly replaced and everyone has to fake doing good work to not get fired / replaced has any stable identity

but other than that Google has been pretty reliable and fair to their users.

okay, now fuck off.

Google is just another corporation. The problem is lots of le geeks fap about Google because it’s Super Innovative etc. The only useful thing Google ever did was make a search engine that wasn’t buggy and filled with annoying ads as the other ones. That was the in the early 2000s.

But now all the search engines are pretty much the same. Also Bing* actually has a feature to turn off safe search. Google slowly fazed out that option and replaced it with some bullshit that turns off safe search for your search if you add"porn" or some trigger word to your search. Also Google used to like actually show pages that contain the words you search. Now it just"knows what you mean" and pulls up some completely irrelevant garbage almost every fucking time.

Another innovation brought to you by Google is the prevelance of this Recaptcha trash on every fucking page of the internet. Pretty much half the time the captcha will be 3 numbers. The rest of the time it’s either one of:

o Picture captcha - select all 4 of the images with street signs, but there are only actually 3 images with street signs here. Please repeat the same scenario 3-15 more times so we can see that you aren’t a robot. Similar scenarios with burgers and ice cream. Also note that this captcha only appears when the I’m not a robot button failed (I’ve never seen it not fail… even without tor and on Windows). The"I’m not a robot" button is essentially DRM. You must have a conforming browser so they can see that the series of input/output events looks statistically like a human. The problem here is conforming browser simply means Firefox, Chrome, or IE or one of the other big ones. You cannot possibly make a browser from scratch and have it pass this button test. If you can, it means the button test is trivial to defeat. But I assume that’s not the case, and it relies on the behavior of millions of lines of code in Firefox/Chrome/etc.

o Nazi word captcha - Usually full of rnmrnrnmrnmrnmrnmr uvuvuvuvuvuwuwvuwwvu etc. They succeed 99% of the time at building a completely ambiguous string which your answer depends on which order you read the characters in, whether you look ahead, the amount of time you spend re-reading the captcha, the mood you’re in, etc. You are almost guaranteed to fail this captcha unless you retry it like 15 times or it’s on fuzzy mode and it just accepts a string that’s similar to the captcha shown (for example ul.to is on fuzzy mode for some reason, I have no idea how this is activated or if google just decides ul.to will have this mode activated for some reason).

o They just block you depending on which tor exit node you use. There’s nothing more ironic than blocking people from using your captcha.

Worse yet, Google seems to be the ones who started the fad of requiring a cell phone to sign up to a fucking website. And they brought that cancer to youtube. Fuck that shit right off. I still have a gmail account I registered before they switched to requiring cell phone to sign up. It’s still annoying as fuck to use because they are constantly threatening that they’re going to give someone my account because they added secret question/cellphone/etc backdoor #35782357823 to my account or the XSS of the day (yes, Google routinely has XSS vulns too, even trivial ones, despite that they are super leet haxors. WTF do you expect? It’s a corporation and software companies are not responsible for security errors - they can just appeal to"Security is Hard" every time).

416570

The open source community is utter shit regardless.

Read more in the mostly lame 8ch thread.

instagram (2015/07/21)

Crashing iPad App Grounds Dozens of American Airline Flights (2015/05/01)

Insanely great:

American Airlines was forced to delay multiple flights on Tuesday night after the iPad app used by pilots crashed. Introduced in 2013, the cockpit iPads are used as an “electronic flight bag,” replacing 16kg (35lb) of paper manuals which pilots are typically required to carry on flights. In some cases, the flights had to return to the gate to access Wi-Fi to fix the issue.

Read more here.

Boeing advises periodically rebooting 787 (2015/05/01)

The US Federal Aviation Administration (FAA) has issued a new airworthiness directive PDF for Boeing’s 787 because a software bug shuts down the plane’s electricity generators every 248 days.

“We have been advised by Boeing of an issue identified during laboratory testing,” the directive says. That issue sees “The software counter internal to the generator control units (GCUs) will overflow after 248 days of continuous power, causing that GCU to go into failsafe mode.”

Read more here.

Everyone has JavaScript, right? (2015/04/24)

From kryogenix.org:

Your user requests your web app
Has the page loaded yet?
“All your users are non-JS while they're downloading your JS” — Jake Archibald
Did the HTTP request for the JavaScript succeed?
If they're on a train and their net connection goes away before your JavaScript loads, then there's no JavaScript.
Did the HTTP request for the JavaScript complete?
How many times have you had a mobile browser hang forever loading a page and then load it instantly when you refresh?
Does the corporate firewall block JavaScript?
Because loads of them still do.
Does their ISP or mobile operator interfere with downloaded JavaScript?
Sky accidentally block jQuery, Comcast insert ads into your script, and if you've never experienced this before, drive to an airport and use their wifi.
Have they switched off JavaScript?
People still do.
Do they have addons or plugins installed which inject script or alter the DOM in ways you didn't anticipate?
There are thousands of browser extensions. Are you sure none interfere with your JS?
Is the CDN up?
CDNs are good at staying up (that’s what being a CDN is) but a minute downtime a month will still hit users who browse in that minute.
Does their browser support the JavaScript you’ve written?
Check Can I Use for browser usage figures.

Is all the above true?

Then yes, your JavaScript works.

Probably.

Progressive enhancement. Because sometimes your JavaScript just won’t work.

Be prepared.

fizzbuzz (2015/04/09)

Old, but it’s still what it is.

Google won’t allow the co-inventor of Unix and the C language to check-in code, because he won’t take the mandatory language test.

Read more here.

Barely Metal (2015/03/31)

Running on bare metal is being made possible in large part by virtualisation technologies such as Xen which provide standard virtual networking and file system interfaces. These virtualised interfaces mean that bare metal solutions don’t need hardware device driver support, making the core concept much easier to implement.

Read more at Not Constructive blog.

Google Summer of Code 2015 (2015/03/02)

content, pt. 3 (2015/02/24)

; hget http://www.xojane.com/ | htmlfmt
; hget http://www.xojane.com/ | wc
    170     470    6699
;

HTTP/2.0 — The IETF is Phoning It In (2015/01/07)

Some will expect a major update to the world’s most popular protocol to be a technical masterpiece and textbook example for future students of protocol design. Some will expect that a protocol designed during the Snowden revelations will improve their privacy. Others will more cynically suspect the opposite. There may be a general assumption of “faster.” Many will probably also assume it is “greener.” And some of us are jaded enough to see the “2.0” and mutter “Uh-oh, Second Systems Syndrome.”

The cheat sheet answers are: no, no, probably not, maybe, no and yes.

If that sounds underwhelming, it’s because it is.

Read more at acmqueue.

To Wash It All Away (2014/11/16)

James Mickens' classic rant (Usenix ;login, March 2014, p.2-8):

Describing why the Web is horrible is like describing why it’s horrible to drown in an ocean composed of pufferfish that are pregnant with Tiny Freddy Kruegers

Download the pdf

this is why software sucks (2014/07/23)

Ted Unangst’s thoughts on recent develepmonts in the LibreSSL world:

It’s been a week and change since the first LibreSSL portable release was announced to much sturm und drang. I’m not directly involved, but a few thoughts and reflections on the release and its reception. (Deliberately missing some links; do your own digging if you care.)

Most people seemed pretty happy with the release. That was good. There were a few portability wrinkles. They got fixed. That was good.

Then there were the LibreSSL is an unsafe catastrophe fun times. My earlier thoughts.

Now what was missing was any mention of prior art. Like CVE-2013-1900. Is PostgreSQL unsafe? Or CVE-2014-0017. Is stunnel unsafe? These are real programs, presumably trying to be secure, with real exploits. Not carefully crafted samples that aided in their own exploitation. Perhaps it’s OpenSSL that’s unsafe? It’s not like OpenSSL hasn’t had its own fixes for trouble with pid reuse.

I don’t have much involvement in portable, but I definitely had a hand in neutering the RAND and egd interfaces. Contrary to some commentary, we didn’t neuter these interfaces because we didn’t know what they were. We neutered them because we know precisely what they are. They’re fucking stupid.

The next turn of events was the notion that the getpid/atfork fixes were then rushed out the door. It’s sad when “Bug fixed in timely manner” is headline worthy news. It’s twisted when it’s spun as something bad. What else should one do after receiving a bug report via blog post via front page news? Sit on it? What purpose would that serve? Or, phrased differently, what narrative does a delayed fix facilitate?

Finally came the report that the atfork fix was all wrong, which was then edited to be rather less wrong. Hey, that’s ok, we all make mistakes. I’m more disappointed with the chorus of tweeters and sharers and likers who rushed to spread the bad news without apparently reading or understanding it, simply because it slotted nicely into the “wrong wrong wrong” story they had going.

Not to say all criticism is unwarranted or unwelcome. Indeed, with every release, Bob specifically asks for criticism, though I think he calls it feedback.

Whether for serious or for fun, phk and djb have each conjectured a massive all encompassing conspiracy dedicated to maintaining the status quo and preventing the development of secure software. I’m not sure I believe in such a conspiracy, but I am certain that should it exist, it could not possibly hope to be more disruptive. On the one hand we have people claiming the OpenSSL API is too broken to work with (they may have a point); on the other hand we have people demanding that we maintain every last misfeature piece of shit function in that API.

Do you want software to stop being shit? Then stop expecting… nay, stop demanding that software be shit.

Linux Future (circa 2012) (2014/07/18)

Back in 2012, pappp had some things to say about systemd’s role in Linux’s future:

Some time ago I came across yet another angry discussion about systemd, and have been reading and thinking a great deal about the design of Systemd, and what it says about Linux. I’ve come to realize that the strife in the Linux community is because an active and well-funded group of developers who have been driving the direction of various core components are not building UNIX. They are building some other philosophically divergent system on top of the Linux kernel, with roughly the same relationship to UNIX as Plan9. For convenience I’m going to call the non-UNIX environment they’re building FLOS for the remainder of this post (F since the FreeDesktop.org folks, and their backers in the Fedora project, are driving this, L for the Linux kernel, OS should be self-explanatory). I intend this term to be value-neutral.

Read more at pappp’s blog.

usps.gov (2014/04/22)

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, you@your.address and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

IBM_HTTP_Server at moversguide.usps.com Port 9443

Hacker News (2014/04/22)

pretty much what you’d expect

Tuggr on FOSDEM 2014 (2014/01/06)

Let’s take a look at my annotated copy of the FOSDEM 2014 main talk schedule, shall we?

http://tuggr.com/fosdem/fosdem2014

PHP hash function (2014/01/04)

from PHP Manual Masterpieces, via Rob Pike

NSA zines, circa 1974 (2014/01/03)

Content, pt. 2 (2013/12/27)

; hget http://hastebin.com/gigagovoje.coffee | htmlfmt
; hget http://hastebin.com/gigagovoje.coffee | wc
     79     215    2438
; 

Ted Nelson’s Eulogy for Douglas Engelbart (2013/12/26)

Ted Nelson’s eulogy for his friend Douglas Engelbart. Given at the Computer History Museum in Mountain View, CA, on December 9, 2013.

Ted has some complaints.

Rudeness (2013/12/23)

A recent thread on the 9fans mailing list explores the relationship between rudeness and software quality in open source projects:

From: sl@9fr...
Subject: Adding a new user on 9-Front
Date: Mon, 23 Dec 2013 18:47:35 -0500

>> What remains of Plan 9 might be a better example of failing to seek
>> out community in order to preserve the value, which is sometimes
>> not clearly perceived by the interested few who show up at the party.
>
> isn't this a false dichotomy?  rudeness doesn't preserve value.

The TUPE[0] -related material is a valuable reference point in this discussion
specifically because it's all thirty years old. This tension between technical
and social pressures is nothing new.

I'm not specifically advocating rudeness, but it's worth pointing out that
more than one book written by former Bell Labs staff specifically accuses
our 1127 heroes of indulging in precisely this sort of conceitedness (not
my word) and condescension towards outsiders. I bring this up only to
illustrate what people choose to focus upon, and what they choose to
ignore. The complaints are always the same, whether it is Rob Pike or
Theo de Raadt who has made someone cry. The objections, -- no,
demands -- are always the same sort of "I'm new new guy, treat my bad
ideas as if they were good ideas, or I'll tell everyone you're a jerk" attempts
at social extortion that are familiar to anyone who has ever worked on an
open source software project. Worse, now, as "community" has become the
central concern of many such projects. How many times have you seen
someone declare that they refuse to use OpenBSD simply because Theo
made some crazy remark? This is the level at which the discourse occurs.

Meanwhile, there is the code. Which operating system with lots of
developers and lots of users is not terrible? Do we posit some connection
between the social structure of operating system development (as we've
observed it) and the end result? What are the lessons learned?

Ken referred to open source as "open sewers." Theo runs his project with
an iron fist, and if you don't like it, you're free to spend your time somewhere
else. Neither of these attitudes are conducive to the type of inclusiveness
sought after by those who concern themselves primarily with community.
In the case of Bell Labs, their code was not even widely circulated to
the general public for much of the period in question. Thought exercise:
Try to recall how gladly fools were suffered in the early days of the 9fans
mailing list.

At some point, you have to stop entertaining the bad ideas and work on
the good ones, even if that makes some people unhappy. This is how we
got UNIX (and later, Plan 9) in the first place.

It is possible this perspective has been expressed more gracefully elsewhere.


>> What remains of UNIX is sometimes difficult to recognize.
>
> it's easy to point out past mistakes.  do you think these were obvious
> at the time they were made?

The class of mistakes we are dealing with today were not acknowedged in
1983 and are still not acknowledged today. The entire "software tools"
philosophy was rejected, long ago, and as Rob pointed out, perl delivered
the elegy. This is rendered obvious when a longtime UNIX user tries out
Plan 9 for the first time. Go on, I'm sure you can predict the first several
complaints that will be voiced.

Was this rejection intentional? Did they (the perpetrators) really disagree
with the perspective of the UNIX authors, or were they simply ignorant of
the arguments being presented? I certainly was, until the existence of the
documents I keep linking to was brought to my attention. In your
experience, how well does the average UNIX enthusiast understand
these ideas, and how are they received, when explained?

Well, there are hordes of these people at the gate, and they are insisting that
we honor their demands as a matter of course. All of their bad ideas MUST
go into the system. NOW. Or else you're a jerk. What? You think our ideas
need more time to develop? That's not a very nice thing to say. I demand that
you take us seriously, RIGHT NOW. Gee, you guys think you're so smart! Your
privilege is showing!

What if we open the gate, just a crack...

The whole question of rudeness is based upon the false premise that it makes
sense to treat each new airing of a bad idea as if it were the first expression
of a potential breakthrough. Limited resources are quickly consumed by public
relations. Projects that have produced material of value typically eschew these
exercises in favor of doing the real work.

sl

[0] The UNIX Programming Environment, by Brian W. Kernighan and Rob Pike

Full text of cat-v paper recovered (2013/12/23)

I’m pleased to report that the full text of the ‘Program Design in the UNIX Environment’ paper has been recovered:

http://harmful.cat-v.org/cat-v

Thanks are extended to pr, who located the postscript file on the old netlib site:

http://netlib.bell-labs.com/cm/cs/doc/

This saga began when I noticed that the version of the file long hosted at cat-v.org was missing some words – apparently the result of the italics macro being dropped when the file was translated from troff to postscript. I contacted Brian W. Kernighan and Rob Pike (the original authors of the paper), but neither of them had access to the original troff sources. I eventually located a print copy of AT&T BELL LABORATORIES TECHNIAL JOURNAL, October 1984, Vol. 63, No. 8, Part2, wherein the article had originally been published. Interestingly, this published version contained completely different translation errors; italics were intact, but all of the backquotes from the code examples had been dropped.

Needless to say, it’s a relief to have finally located a complete copy of the document.