Sunday, April 29, 2007

World Class Farce

I cannot believe what a complete and utter cock up the umpires and the ICC have made of the World Cup Cricket final between Australia and Sri Lanka.

During the Sri Lankan innings it started raining, this rain then got progressively heavier, yet the umpires didn't make a decision to leave as they could see a clearer patch of sky beyond the clouds. This was a sensible decision - Sri Lanka needed to keep playing to ensure they had a chance to win, had they gone off then, there would have been too many overs lost, along with any chance of Sri Lanka being able to win.

So, as the rain started to ease, the umpires decided to send the teams off the field. Why, I guess, no sane person will ever be able to understand. Aleem Dar and Steve Bucknor had just made the most stupid decision (probably) ever in cricketing history.

Then, when they decided to bring the teams back on, they failed to calculate the new target. Sure, they could work out that 2 overs were lost and correctly subtracted 2 from 38 to get 36, but they couldn't work out how to use the Duckworth Lewis system to calculate the new target and a few balls later, both teams stopped the match to enquire about the new target. Failing to have this corrected, the teams started playing again whilst waiting for the farce to end, which it eventually did.

Or so we thought.

Now, as the light was fading due to the ridiculous waste of time that the umpires caused by the stoppages, the umpires offered the light to the Sri Lankan batsmen on a number of occasions, which they finally took 3 overs before the end of the match. With absolutely no chance of Sri Lanka being able to win and with absolutely no chance of the light improving (as the WCC final ground dows not have lights), everyone had figured - the ground officials included - that Australia had just won the World Cup. Of course, Aleem Dar then chose to point out to Ricky Ponting that this was not the end of the match and that they would need to come back tomorrow to bowl the three remaining overs. The ground staff at this point had already congratulated Australia on the scoreboard and were preparing to set up for the presentations, yet the umpires shooed them off the field, explaining that the match wasn't over.

Mahela Jayawardene then came onto the ground and discussed the options with Ricky Ponting and, instead of making the most obvious decision there was - conceding defeat - he chose to send his batsmen back out to face the final three overs.

At this point, the commentators couldn't distinguish between players on the field. The batsmen had to face spin bowlers for safety - pace bowlers would have been deadly. The cameras couldn't easily focus on the players for the lack of light. Basically, the game should have been over when the players took the offer of bad light.

Despite the "look" on the broadcast, the light was appalling. The cameras and CCU operators were able to enhance the light way beyond was actually available. The true state of affairs, and the true view of what a farce the umpires made of this match, was seen when Stump Cam was shown - there's no way to artificially enhance the image from Stump Cam in the same way as the regular broadcast cameras. It was close to total darkness. Even the enhanced camera images were significantly grainy due to the enhancement artifacts. This was something that never should have been allowed to go on.

The umpires made appalling decisions. The ICC allowed them to do it. Jayawardene had a clear opportunity to stop the stupidity and chose not to do so. The whole thing showed the world how far away from being able to make Cricket a world game the governing body is. It is a shame, but hopefully the ICC will learn from this and take steps to ensure some form of sanity creeps into the rules and the interpretation of the rules.

Regards,

The Outspoken Wookie

Wednesday, April 11, 2007

Microsoft Patch Releases

Generally, an intelligent entity is able to learn from not only its own mistakes but also from those it sees others make. An entity that keeps repeating the same mistakes over and over is deemed to be moderately unintelligent.

Well in that case, Microsoft must be the dumbest company on the face of this planet (and probably quite a few others). Not only have they once again released a Service Pack for a Windows NT-based operating system that breaks networking on many machines (Windows Server 2003 SP2 this time, Windows NT 4 Service Pack 2 last time), but they have released a second patch for their Animated Cursor component in Windows (obviously, critical in any Server is an animated cursor) and this time they have followed in their long established path of releasing a broken patch that almost immediately needs a patch for the patch.

MS07-017 resulted in a great many machines worldwide failing to run properly and having error messages stating something similar to:

application_executable_name - Illegal System DLL Relocation
The system DLL user32.dll was relocated in memory. The application will not run properly. The relocation occurred because the DLL C:\Windows\System32\Hhctrl.ocx occupied an address range reserved for Windows system DLLs. The vendor supplying the DLL should be contacted for a new DLL.

This is because Microsoft broke their patch and then tried blaming Realtek for the issue. As proof that it was a Microsoft issue, more applications have the same issue with this new MS07-017 patch. As further proof of the origin of the issue, Microsoft have released a new Windows XP Update to address the issues they created by not testing MS07-017 properly before releasing it.

I have a few issues with this patch (in particular) and Microsoft patching practice in general.

1. Why does a Windows Server have an animated cursor component? Is this a critical OS component? No. Is this something that should ever, for any reason be installed on any server? No. Then why does Microsoft ship it as a part of their Windows Server family? Secure By Design - I think not!

2. If this were a highly critical patch (as it is) that was only recently discovered and reported to Microsoft and it was in a critical component of the OS (see my previous point), then one *may* be able to give a little leniency to Microsoft. In this case, that is not what happened. On 22 October 2004 (yes, that's 2.5 years ago) this vulnerability was reported to Microsoft. They willingly did nothing about it. That is called "responsible disclosure" on the part of Cesar Cerrudo, the person who found the vulnerability.

Then on 7 November 2006 - over 2 years after Cesar originally reported this vulnerability to Microsoft - Cesar got sick of waiting for Microsoft to perform their corporate responsibilities and made the details of the vulnerability public. That is STILL called "responsible disclosure" on the part of Cesar - over 2 years for Microsoft to address a highly critical vulnerability in a default Windows component is simply "corporate apathy".

So, what did Microsoft then do? If you guessed "they jumped into action" then you'd be sadly mistaken. If you guessed "they did their absolute best impersonation of a statue" then you win the prize. That's right - Microsoft continued to not make history and remain apathetic towards this vulnerability. That's security the Microsoft way.

On 29 January 2007 (that's 27 months - well over 2 years since the vulnerability was originally reported to Microsoft) an exploit for this vulnerability was released by Joel Eriksson. It then took Microsoft over 9 weeks to release the MS07-017 patch to this 2 and a half year old vulnerability.

Which part of "Secure by design, secure by default" does this lax behavior fit into? Does it even fit into "Secure by deployment"? No, there is no security consideration in any of this. Microsoft totally (again) dropped the ball.

3. When Microsoft belatedly released a patch for this vulnerability, they broke it and then blamed a number of 3rd parties for the issues they created. That's appalling. Again, the corporate apathy present in Microsoft - thanks to Steve Ballmer who is at its helm right now - is what's letting them down. They need to realize that security is important to us, even if it isn't really that important to them. And as we are their customers (they sure don't treat us like clients), then we DO matter to them, as without us, they have no income.


So, all up, I have to express my disgust, once again, in Microsoft's mishandling of another patch release. Don't get me started on Windows Server 2003 SP2...

Regards,

The Outspoken Wookie