blog.s11n.net

Can Windows Vista read minds (or anti-Vista blog posts)?

[Update, several hours after posting this: after trying this out a few more times, the password Z/Y problem is NOT gone. It is still reproducible. But Vista still does not accept a DHCP offer from my router unless it wants to do something devious, as described below.]

The absolute weirdest thing happened yesterday… almost as weird as the time, back in 1994, when i fdisk’d and formatted a hard drive under OS/2 and, after rebooting, everything was still on the disk.

A few days ago i published a blog entry about how my copy of Windows Vista (or, put differently, my platform for running Starwars Battlefront) accepts incorrect passwords at its login screen. Now comes the weird bit…

In the 3 months i’ve had the machine, i have tried at least 20 times to get Vista to connect to my WLAN, and it always refused. That means my Vista has only once been online, when i tested with a LAN cable shortly after i bought the PC (our puppy ate the cable few days later). I have a mobile phone, a Nintendo Wii, and a total of 5 PCs/laptops with 3 different OSes (*buntu Linux, OpenSolaris, and my work-provided laptop with WinXP), all of which connect without problems to the WLAN (including Kubuntu on the same machine as Vista), but Vista just refuses. Every time i start Vista (to play Battlefront, of course) it bugs me with “cannot connect to download updates” messages. It sees the network, but simply cannot get an address over DHCP… until yesterday.

WHILE i was playing Battlefront… WHILE i was playing… my game suddenly died, unceremoniously. (Did i mention that i was playing Battlefront, my all-time favourite video game, at the time?) “What the foo?!?” i shouted, as the game has never, in all of my time playing it, crashed on me. Then the answer came directly from Microsoft - i was presented with a Vista screen saying, “Installing updates 2 of 3…”. It frigging KILLED my game to run updates! The observant reader will ask, “but how on gaia did it get the updates if it cannot connect to the network?” Indeed, how? While i was playing, it “somehow” connected, downloaded 3 updates, and rebooted my machine (without asking, thank you very frigging much again you fu**ing fu**s from Microsoft). (In my philosophy, rebooting a machine is quite possible the rudest thing you can do it, and rebooting is not something i do unless necessary (e.g. to start Vista to play Battlefront ;).)

After the reboot, i had a strange gut feeling (a “disturbance in the Force”, if you will, probably brought on by too much Battlefront), and immediately tried out the Z/Y mismatch bug (the one i documented a few days ago). Vista no longer accepts it. That is, it now appears to not accept an incorrect password.

It’s as if… as if… someone from Microsoft read my post, hacked my Vista (but not over the net, since my Vista cannot connect to the network), and uploaded a patch to discount my report of a security hole. Of course, i don’t for a minute believe that that really happened. (Aside from being patently absurd, history has shown it to be impossible for MS to react to bugs so quickly.) But the timing is absolutely uncanny. I had even, earlier in the day, tested the bug again to try out a suggestion made from a blog reader, and i’m 100% certain that it worked (as in, my bug report was valid) before this black-ops update.

And will Vista now connect to my WLAN? I thought for a moment that the upside was that i could now get online and download the latest patches for Battlefront (yeah, i’m addicted to it - it’s just emotionally satisfying to play the part of a Starwars action figure and go blasting bad guys). Wrong… the connection was a one-time thing. It managed to connect one time, download updates, and then (as before) refuses to accept an address over DHCP from my router.

Frigging weird.

So let’s see what happens now. If history repeats itself, Vista might just somehow read my mind, or this blog post, magically download some update for my NIC, and start working with my WLAN. Now if it would only read my mind when i click a .exe and stop frigging asking me if i was the one who clicked it.

Windows Vista accepts incorrect passwords

i never thought the day would come that i, one of the least security-conscious people in the world, would report a Windows security flaw. The fact is - Windows Vista appears to try multiple variants of a password if the first one doesn’t match, at least when it is configured to use multiple keyboard layouts.

Here are the facts:

i have, on a newly-bought PC, a copy of Vista. It doesn’t do much except run Starwars Battlefront (it refuses to connect to my wireless network, even though my mobile phone, my Wii, and 3 other computers will, which means it’s just a brick which happens to run Starwars Battlefront). My keyboard is set up to switch between German and English (it’s a German Vista, but i type using a U.S. keyboard layout).

My login password for Vista has a ‘y’ in it, and anyone who uses English and German keyboards knows that the ‘y’ and ‘z’ characters are switched on those two layouts. That is, on a German keyboard, the ‘z’ is where the ‘y’ is on an English keyboard, and vice versa. The Windows login screen allows you to change the keyboard, just for the case that your password contains characters not available under the current keyboard.

However…

When i type in my password i always assume an English layout (a long-time habit), even though Windows defaults to a German layout (because it’s a German windows). Vista accepts my password, typed in with an English layout, even though the password cannot match when a German layout is enabled (because the ‘y’ is no longer a ‘y’). In fact, it doesn’t matter whether or not i explicitly switch the layout to German or English - it accepts the password either way.

Here’s how to try it at home:

a) Set up your Windows to allow keyboard layout switching. For the example, German/English.

b) Change your password to something containing a ‘y’.

c) Go to the login screen and make sure the keyboard layout is set to German.

d) Now enter the password AS IF it was set to an English layout.

Windows will (at least on my system) accept it, even though the password is incorrect. i’ve verified this on my setup at least five times. This “feature” is probably “a convenience to the user”, but it seems odd that they would add such a convenience, and then continually bombard the user with inconvenient “are you sure YOU clicked that .exe file?” dialogs.

Yet one more reason why Vista makes me feel dirty all over.

PS: Your mouse has moved. You must restart Windows for the changes to take effect.

s11n and Qt

Seven days ago i started working on a new Qt4 application called http://wanderinghorse.net/gaming/QBoard, which is basically a little brother to a much older, long defunct, project of mine called QUB. QBoard is a boardgaming application and, as such, it needs to save/load a diverse set of data types (game boards, pieces, entire games, widgets of various types…). And, of course, we use libs11n for that.

As it turns out, adding s11n support in conjunction with Qt has been less effort than i expected. It’ll save QString unicode strings, for example, something i expected would be very problematic. (S11n internally only uses std::string, which is ASCII.) It also supports 15 different QVariant types (another case i thought would be terribly problematic) and demonstrates how to serialize QGraphicsItems objects (amongst others).

For anyone wanting to work with Qt and s11n together, the code might be informative or useful as a starting point. It’s all available in the QBoard source repository: http://wanderinghorse.net/cgi-bin/QBoard.cgi
(see src/S11n*.*).

On a historical note: libs11n was originally conceived while working on QUB (mentioned above), where a co-developer wrote a vaguely similar serialization library based on Qt3. I wanted those features in other applications, but wasn’t satisfied with having to adopt the GPL (or tight Qt integration) for all of my projects. So a replacement became inevitable, and work began on libs11n with the express long-term intention of re-implementing QUB from the ground up. Now here we are, almost exactly 5 years later, and that’s finally happening. This time, however, thanks to advances in both Qt and serialization technologies, in one week i’ve been able to code nearly as many features as QUB got in its first year or two of existence.