I worked at Microsoft from 1996 to 2011. I was a SDE and lead on Windows Media and Media Foundation. This is a cute story, but I never heard of anything like this. There is no way my management would have approved any time off to write a book on a Microsoft product. Sabbatical is possible, but everyone I knew that qualified for a sabbatical was already filthy rich from early 90s stock options, and used that time to sail around the world or something like that.
I can't rule out that such a thing did happen at Microsoft in groups that I wasn't part of, but I would be stunned if it was more than a couple of people.
I'm probably being dumb here, but what do you mean by /lit/? I can't figure out how to turn that into an Internet thing (website? social? what is it!), and searching for /lit/ is predictable not helpful. Always looking for a good source of book discussions and recommendations!
I worked at Oracle from 1993-1996, porting the Oracle database to Netware.
> Novell wouldn’t, or couldn’t, make Netware use task preemption and memory protection.
I actually remember being shown a pre-release version that had memory protection, at least. I don't recall if pre-emptive multitasking was included. It was a bit hacky; I think there was a kernel but then most of the OS ran in one process anyways, so perhaps it was a partial step. I think the problem was trying to be backwards compatible while shifting to the new memory model. Their development team was probably pretty small compared to something like Windows NT, so they didn't have the luxury of re-writing everything.
Looking at WikiPedia it is unclear if this upgrade was part of Netware 5 (released in 1998). Your other comment suggests maybe they killed this functionality. I was working for Microsoft by this point anyways. :-)
> There were some third party server applications built for Netware, I think maybe CC:mail server and Lotus Notes, but the memory protection and cooperative multitasking meant they didn’t last long.
We did actually have quite a few customers for the Oracle database on Netware. Mostly companies that were already locked into Netware for other reasons. In retrospect it does seem like madness to run an RDBMS on a server with no pre-emption or memory protection. I think the performance was pretty good, though. :-)
> Also Microsoft was at the height of its powers as a competition killing machine and nothing that stood in its way survived. It really genuinely looked back then like Microsoft was going to wipe out everything and it would be a Microsoft only future. Novell was no exception along with Lotus and Borland and many others.
This 100%. It felt absolutely inevitable that Windows NT was going to completely dominate this space once Microsoft came out with a competitive offering. And we didn't really know that Windows NT was a honest-to-goodness real operating system, instead of something hacked together on top of Windows for Workgroups (and DOS by extension). Of course, no one saw Linux coming at this point.
I don't remember... but it's long enough ago that that doesn't mean anything. Virtually everyone I knew there left the company around 1996 as the raises weren't keeping up with the market. New hires were making more than everyone else.
I worked at Microsoft on the NetShow Encoder, later known as the Windows Media Encoder, in the Windows 95/Windows NT4 era. I remember carefully writing millisecond code that would deal with differences, instead of absolutes, so that we could run longer than 49 days. Honestly I don't recall whether the limitation was GetTickCount, the recording API, the file format, or all three.
In our debug build, I added a registry key that would start the concept of time at 49-ish days, so that we could test that everything was working without waiting 50 days. However, before we shipped, the intrepid test team did actually run the encoder for 50 days to prove that it worked. (On Windows NT, of course. Windows 95 with good hardware and drivers was perhaps more stable than its reputation, but still...) Though TBH we definitely wouldn't have delayed a release by 49 days if it had failed at the last minute.
I love C, but it's pretty scary sometime. 5 minutes ago, "I wonder if I can find a potential memory overwrite in 5 minutes?"
Sure enough, the function StrAppend potentially overflows a size_t size (without checking), and then writes into memory could be past the end of the allocated buffer. Given 5 minutes, I didn't look thoroughly if this is actually exploitable, but it's definitely a red-flag for the code. Be careful out there! Hopefully I am missing something, or this is just a simple oversight, but I would carefully audit this code before using it.
Yeah. The function in question is called in only one place. It would seem you’d need to send the web server more than a size_t of data for this to be an issue.
Yes, absolutely. If the webserver is compiled 32-bit, that is only 4GB of data, which might be feasible? I don't know enough to say. Assuming a hacker kindly won't overflow your buffer is never a good idea.
However, the presence of one piece of code that is not integer-overflow safe definitely makes me nervous. This is just the one I found in 5 minutes, what else is in there?
It's not an integer overflow that would be needed but an unsigned overflow. The way I see it, on 32-bits, that means that the size HTTP request would have to be bigger than what's available to both user application and the OS together. In short, one just can't get the input request that big. Of course, if you manage that, you'll disprove this claim.
Exactly. In a single file C nobody can expect to get universal library functions that work in any possible imaginable context. The only relevant context is the code the function is in. And in that context, the function is doing enough.
I can't rule out that such a thing did happen at Microsoft in groups that I wasn't part of, but I would be stunned if it was more than a couple of people.