41 comments

[ 0.17 ms ] story [ 86.6 ms ] thread
(comment deleted)
I am reminded of JWZ's "On Toolkits" (https://www.jwz.org/xscreensaver/toolkits.html):

"Let's suppose that down in the bowels of some particular version of some particular toolkit library, there lurks a bug. Let's suppose that the nature of this bug is something relatively obscure: say that it's something like, if you hold down 5 keys on the keyboard for 10 seconds then drag the middle mouse button, the text entry widget gets a SEGV. (In fact, I'm not making this up: I saw this very bug once, years ago.)

Now, that's the sort of bug that is not likely to be noticed or fixed, because it's the sort of thing that people "never" do. If that bug was reported against, say, a web browser, nobody would much care: User: "I can crash my web browser by doing this crazy thing!" Developer: "Uh, don't do that then." And that's not a totally unreasonable response.

However, in the context of security software, it matters, because then it's not merely a cute trick that crashes the program: now it's a backdoor password that unlocks the screen."

That link is redirecting to an unexpected image for me.

Edit: it works if I copy-paste the URL.

Is it some item of human genitalia? If so, you've triggered JWZ's anti-image-hotlinking system.

There must be something somewhat unusual about your browser or maybe something is mangling HTTP requests on their way to his server.

Yes, yes it is.

Does the link work as expected for you?

The strange thing is that it does work for me if I copy-paste the link (as opposed to ctrl-clicking it). There really shouldn't be much that's different between those two requests except for the referrer header.

It does work as expected for me, no matter how I visit the URL. (The first time I viewed the page, I ctrl-clicked the URL.)

> There really shouldn't be much that's different between those two requests except for the referrer header.

I don't know the details, but I gather that that's a big component of the anti-hotlinking system.

jwz just confirmed on Twitter that he blocks requests with HN in the referrer: https://twitter.com/jwz/status/665658171415859200
Odd. Clicking on the link in the HN conversation works just fine for me.

Wait. Does running Firefox in Incognito Mode not send along a referrer?

Huh. I guess we don't have time for jwz, either.
From a personal email, jwz said I could quote: "Every time [Hacker News drops by] someone launches a DDoS. This time it's a SYN flood. Pretty much like clockwork." This looks like a response to that.
Appears to be one of those bizarre people who gets offended when people link to them. They were more common back when bandwidth was as precious as diamonds, and I see this article dates from that era. On the modern Web, I've never been sure if they don't quite understand what the internet is for, or what.
You're going to accuse jwz of not understanding the internet? I'm going to assume you have no idea who jwz is.
Anyone who actually gets angry when they're linked to (that image seems calculated to offend, not merely deflect bandwidth usage) has some kind of fundamental disconnect with how the internet is used on a day-to-day basis. It may be a social/emotional disconnect rather than a technical one, but it's still a disconnect.

I suppose I should acknowledge the possibility that he's just kind of a dick and likes trolling people for lulz. That's not really better, though.

It's his server. He gets to decide how it responds when people send it requests. If there's a disconnect, I think it's the people telling jwz how he needs to configure his server.
> It's his server. He gets to decide how it responds when people send it requests.

I don't understand why you think this contradicts anything I said.

Sending drastically different content based on where your URL was clicked from, should indeed count as one definition of "not understanding how the hypertext web works." It's also something you're free to do, and the rest of the web is free to stop linking to you in response.
I suppose I should acknowledge the possibility that he's just kind of a dick and likes trolling people for lulz.

Or perhaps that he's just kind of a troll and likes dicking people.

This sounds like a job for Erlang, not JWZ staring at C code until he's convinced it won't segfault. A small monitor process could do something reasonable when the big GUI codebase fails, and then everyone wins.
The design of X screen lockers makes that kind of difficult. Exclusive keyboard control is exclusive, meaning the secure locking process and the pretty crashing process aren't going to share very well.
Also from that article is a good advice in general:

Bugs like that will exist in GUI libraries; it's inevitable. The libraries are big, and do many different things. So one way to protect against that problem is to keep the number of libraries used by the xscreensaver daemon to an absolute minimum.

If you want to make less buggy software, you should aim to reduce complexity as much as possible, and not just hide that complexity with a library. The coordination of multiple processes as exampled therein is a good demonstration of how splitting functionality into multiple pieces may mean adding complexity overall because of the need to coordinate how the pieces interact.

My cat got my gf locked out of Gmail for 15 minutes once, since it was sitting on the F5 (refresh) key while the Gmail tab was open. Turns out Gmail thought there was a suspicious activity on the account and she got locked out for up to 24 hours.

Possible solution: http://i.stack.imgur.com/i1A5X.jpg

Awesome. I find that simply lowering the screen when you get up works, except for when your cat is trying to express her affection to you or your screen while you're trying to get some work done.
(comment deleted)
This is incredible -- is 0.0.1 the latest or have there been upgrades?
Haha, i read the version as "woot".
Fun times... at one point I managed to render a computer unresponsive by dropping a notebook on the PrintScreen key. The key-repeat was pretty fast and so many gnome-screenshot windows popped up...
Related Linux kernel bug report: https://lkml.org/lkml/2011/11/3/110

However, that particular key combination ([Alt]+[SysRq]+[C]rash) works as designed. The old adage about security and physical access comes to mind.

We sometimes underestimate the important role of cats in fighting bugs.
I bet the cat didn't even RTFM first.
This reminds me of a bug I had to fix while working on the AIX version of a SCSI-failover driver (ATF) for Clariion disk arrays. It turned out that sometimes, telnet'ing in to a system with ATF active would hang the system. (FWIW, ssh would have had the same problem. That's just not what actually happened, and ssh on AIX wasn't much of a thing back in those days.) It turned out that the telnet daemon and an ATF daemon together were triggering a classic lock-inversion kind of deadlock in the AIX kernel's generic ioctl code. The details and the fix aren't all that relevant, but it was an important lesson in how these absolutely crazy-seeming kinds of interactions can and do occur in real systems. If your code even runs "alongside" some other code, they can interact in strange and unpleasant ways.
A long time ago back in the era of the Sega Genesis...

My siblings and I were playing Sonic 3D Blast. My brother was screwing around and put a blanket over his face and started to press totally random buttons on the Genesis controller saying "Tell me where to go! Tell me where to go!" and my sis and I were like "Stop screwing around."

All of the sudden the screen glitched out. The graphics were all screwed up, totally glitched out. We started exploring the level.

In this game you could go to either Tails or Knuckles to get to a bonus game. We were like "oh I wonder what the bonus would look like." We went to Knuckles and all of the sudden a level select screen came up.

Years and years later I looked it up on the web and apparently from what I remember the level select screen is some kind of error handler that gets triggered when the game is about to crash. People are on Youtube triggering it by tapping on the cartridge when the game is running.

I wonder if a buffer overflowed or something.

The Cutting Room Floor has screenshots of that level select screen https://tcrf.net/Sonic_3D_Blast_(Genesis)
That is a brilliant error handler.

Are there other games that crash with a congratulatory message and a level selector? It seems like such a beneficial way to handle unexpected situations that it should have been used more.

Extremely brilliant. Instead of getting upset the game crashed with too many button presses we felt like 1337 hackers unlocking secrets.

(Remember, we were kids)

So basically cats work as fuzzers if you can't be bothered to hook up afl.
In my experience, this sort of unusual bug is a symptom of underlying design problems, often caused by chronically convoluted and over-layered architecture - there's no real reason why input events at a high rate should cause behaviour different from a lower rate. If a system can't process events as quickly as they come, then some of them should just get ignored.

It'd be interesting to see the cause of this bug, but more importantly how they decide to fix it.

Please don't make assumptions. LightDM is overengineered but this bug could be caused by just about anything.
My cat found a similar bug in Windows NT 3.51 20 years ago.