Profile picture
, 7 tweets, 1 min read
My Authors
Read all threads
Whelp, this about wraps it up for memcpy_s(). It looks like we need to go back to the drawing board and find a new secure function to copy memory in C.
The C programming language that run almost all of the world's compute infrastructure has both the feature and the flaw that it doesn't double-check memory. Thus, bugs in one part of the code can overwrite memory used in other parts.
It's a necessary feature for some "systems" programming, but is also dangerous for other tasks. Language like Rust solve this by being inherently "safe" for most accesses, allowing "unsafe" access only when needed.
Microsoft has addressed this by replacing 'memcpy()' (memory copies) with a safer version 'memcpy_s()' that double-checks where memory is being copied into.
It does vastly improve safety, but at the same time, it only solve specific problems. Here, it was a stupid replacement that shouldn't have been done.
Normally, memcpy_s() guards against run over the end of the buffer. Here, the problem is figuring out where the buffer starts, the "offset" from the start of the buffer.
What you really want is a function that checks the starting offset hasn't gone past the end of the buffer as well, like:
memcpy_offset_s(buf, offset, max, src, length).
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Rob ☃️ Graham

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @ErrataRob see all

Profile picture
Rob ☃️ Graham
@ErrataRob
Yes, yes, but:
Infosec: "Nobody but us can understand our field, so listen to us explain it to you."
Lawyers: "Nobody but us can understand our field, but I'm not your lawyer and won't explain it to you."
It's like Aaron Swartz:
Infosec (quoting DoJ): "Aaron faced 200 years in prison".
Lawyers: "That's a fantasy, that's not what he really faced, read the sentencing guidelines".
Infosec: "So how many years did he face?"
Lawyers: <silence>
Lawyers: "pfft, this California law doesn't say what you think it does"
Infosec: "Okay, so explain to me what it does say"
Lawyers: "I'm not your lawyer"

Read 7 tweets
Profile picture
Rob ☃️ Graham
@ErrataRob
I don't believe this Reuters story that Apple dropped pans for encrypted backups because FBI. Encrypted backups are a useability nightmare that means customers would lose data.
reuters.com/article/us-app…
A "backup" is what you resort to after some catastrophic failure, such as losing your phone and forgetting your password. Without encryption, Apple can still recover your data. With encryption, it's no longer a backup, and your data is lost.
I don't know how to have an encrypted iCloud backup that is truly a backup in case of catastrophic failure. Maybe some cryptographer out there knows how to do this, if so, they can explain it to me and prove me wrong, and I'll gladly retweet them in this thread.
Read 7 tweets
Profile picture
Rob ☃️ Graham
@ErrataRob
There is a clear parallel here, @ggreenwald is being accused of roughly the same thing as Assange, that they "directly assisted, encouraged and guided" getting the leaks they published.
@ggreenwald When it's them, it's obvious that Brazil is a corrupt government prosecuting leaks showing their corruption.

When it's us, the situation is more nuanced and complex.
@ggreenwald I think there's objective evidence that it really is more nuanced. That Assange's prosecution happens under both Obama and Trump show that our prosecutors really are acting independently rather than pressured from the top.
Read 7 tweets

Related threads

Profile picture
Vivek Gadodia
@technovestor
Emotions, Feelings and Systems Trading

Many of us feel system trading is removing the emotions from Trading. Nothing could be further from the truth. A Robot may not have emotions. This again is debatable. How does system trading help, if at all, then, in trading?
Our emotions are layered, just like the various peels of an onion. Many are at the surface, and maybe visible to ourselves and to others. A deeper layer of emotions though, is invisible. It is layered so deep and entrenched so much within us, that it may not be accessible to
our conscious. When we create a rule-based mechanical trading strategy, what we are doing in a way is channelling all our emotions together into an algorithm or set of rules, which we feel is suitable to us and our temperament. How can then, a system which is good for me,
Read 19 tweets
Profile picture
Troll_Tradez
@SBMT17
People say, “but if I don’t go in with full size at first then I won’t have full profits only partial profits”
I then ask, “would you rather have partial profits over and over or a blown up account in just a few trades?”
I can not tell you how many times I enter a trade with only 30-40% size of what I actually wanted to enter with.
Why, oh why would someone do this.
Let’s say you spot a good trade but you know it might run against you but it also might not.
Let’s play this out...
First scenario:
You spot what you think is a good trade. You enter with full size. Let’s say 10 micro MNQ. you set your stop. You keep your set it and forget it attitude. It either works, or it doesn’t. Great. Now, just SECONDS later you say “shit, wish I would’ve waited”
Read 13 tweets
Profile picture
A4AOntario
@A4AOntario
Groups like Autism Speaks need to shut down and we need to go back to the drawing board to create new autism services and charities [thread] thehill.com/blogs/in-the-k…
One of Autism Speaks' earliest fundraising videos is essential viewing-it laid the groundwork for the dehumanizing view of us that still exists in autism fundraising today. And that's the thing, until the ND movement, the image of autism came from AS.
Before the ND movement, the public image of autism was a vacant child, less than human and a burden on society, with the message that we need to be "prevented." Fundraisers created that, a bogeyman that their "charities" claimed able to vanquish, if only you would donate...
Read 9 tweets
Profile picture
Toyin
@toyinldr
It’s exactly 6 years since I pivoted from a career in Law to a career in Tech
And you all know I’ll write an epistle about this 🤷‍♀️
Pivoting from Law to Tech was not a well thought out plan and sometimes, I look back and wonder how I got here
Read 57 tweets
Profile picture
FL Education Assn
@FloridaEA
#SB7030 is up for final passage in the House right now. You can watch here thefloridachannel.org

This will be the final stop before the bill reaches the governor's desk.

As with yesterday's #SB7070 this bill will have structured debate 15 min. per side.
First to debate is Rep. @CindyPoloFL103 who says she had a speech ready weeks ago but that last night's questioning and debate changed that speech. "I'm trying to find a balance btw being angry and keeping you accountable," she says.
Rep. @CindyPoloFL103 continues by saying "We have forgotten the impact that this new world has on our children...I don't believe that having more weapons in classrooms gets it right." Rep. Polo also apologizes for "losing focus" last night during questioning.
Read 66 tweets
Profile picture
Joe Fitz
@securelyfitz
Thread time! Why can't they just quickly patch #meltdown or #spectre and push out another cpu? Why could it possibly take years? Why don't they use AGILE or x/y/z? Lots of reasons:
(note: my goal is not to criticize chip manufacturers - it's to defend the constraints they have)
Let's start with a standard software product many are familiar with and work off that. First, every time you hit 'build' it's called a 'stepping', costs millions of dollars & takes several months. If you want a profitable product, you may only get 10 chances to press 'build'.
On top of that, half those 'builds' are not 'full layer steppings' meaning you can't change any logic gates, just how they're connected. Even with a full layer stepping you can't shuffle stuff around anywhere like you can with library files and whatnot.
Read 15 tweets

Trending hashtags

#ProudOfISRO #ForThePeople #mutualfunds #Nevada #unroll #spectre #SB7070 #RepowerIndiana #NoBan #MutualFundsSahiHai #ADOS #Blexit #thehunt #surprisemedicalbills #TodayInSenatePlenary #cybersecurity #Kamala2020 #FinancialFreedom #California #financialplanning #crypto #meltdown #ProudIndian #blockchain #SB7030
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!