|
.
maskenfreiheit fucked around with this message at 21:29 on Apr 28, 2019 |
#
?
Apr 20, 2012 03:56
|
|
|
|
| # ? Jun 8, 2024 13:33 |
|
|
Scaevolus posted:Don't use strncmp to verify the signature. If you follow this advice, you're better than Nintendo.
|
|
#
?
Apr 20, 2012 06:03
|
|
|
peepsalot posted:Got a crypto question. ShoulderDaemon was right when he said you are not capable of this. Listen to him and use an existing library. peepsalot posted:I know that typically a signature is done by making a hash of the message and then signing that hash, but for my case I would much rather sign the entire message if at all possible. What you want is a security hole. (It depends on the precise implementation, but for many reasonable-looking ways of implementing this, it is a security hole.) If you were told why, you'd feel more confident about rolling your own crypto, so let's not go there. Also, don't listen to what Scaevolus says. He does not yet have the fear of God in him. (Really his post is just adorable. He told you to "use AES".) shrughes fucked around with this message at 08:24 on Apr 20, 2012 |
|
#
?
Apr 20, 2012 08:20
|
|
|
GregNorc posted:1 problem: I am on OSX. No rename tool, hence trying to write my own. I know you found the solution, but rename is a perl script, so for future reference you can get it on CPAN: http://search.cpan.org/~rmbarker/File-Rename-0.06/rename.PL Install with perl -MCPAN -e 'install File::Rename' (might need sudo depending on your setup).
|
|
#
?
Apr 20, 2012 10:01
|
|
|
shrughes posted:ShoulderDaemon was right when he said you are not capable of this. Listen to him and use an existing library. I'd be tempted to recommend djb's nacl http://rdist.root.org/2009/07/14/nacl-djbs-new-crypto-library/ but i've had no first hand experience with it
|
|
#
?
Apr 20, 2012 10:05
|
|
|
shrughes posted:ShoulderDaemon was right when he said you are not capable of this. Listen to him and use an existing library. To add to this, there's no reason to use public key crypto here, since peepsalot seems fairly confident that the key won't be able to be extracted from the device. In that case they should use a standard implementation of an authenticated encryption protocol. In the library tef posted this is referred to as "secret-key authenticated encryption".
|
|
#
?
Apr 20, 2012 13:54
|
|
|
Hi all - I've got a project I've been kicking around for a while & need some advice. I have a tool developed to scrape loosely structured public record websites & poke the information I get into a defined structure. This process works well, but a lot of the sites aren't careful about ensuring the records are complete & well-formed. So I'm working on a tool to analyze the data I'm pulling out. I've made the first part, which is basically a scoring component that says "this many points for having an address, this many points for having an identifier defined, etc." What I want to do now, though, is to introduce a process that does something meaningful with those scores over time. I've observed that some of the sites I scrape are consistently really good at putting in data, and some others are consistently really bad. My first thought was applying some sort of Bayesian inference to let me know that getting a score of 0.5 from site A is no problem because their data is poo poo, but getting a score of 0.8 from site B is really weird because they're consistently awesome. Is that a decent approach? Does anyone have suggestions/thoughts for a general approach other than that?
|
|
#
?
Apr 20, 2012 14:44
|
|
|
GregNorc posted:Thanks, that is fine... I can list the directories on one hand, just lots of files in them, easy enough to cd a few times and run it. You could use find instead, as it recurses subdirectories. Untested, but something like this should work code:
|
|
#
?
Apr 20, 2012 17:25
|
|
|
No Safe Word posted:You could use find instead, as it recurses subdirectories. Apart from the obvious error there, it still runs into problems because -print0 emits the entire pathname (including a leading ./ if the file is in pwd). So this happens: code:There may be a better way to do this, but at this point I generally do something like this: code:
|
|
#
?
Apr 20, 2012 17:40
|
|
|
GregNorc posted:1 problem: I am on OSX. No rename tool, hence trying to write my own. This is the script I use on my Solaris system: http://dl.dropbox.com/u/1468816/mv.pl I didn't write it (I'd have used Python) and I don't remember where I found it, but it works pretty well.
|
|
#
?
Apr 20, 2012 18:47
|
|
|
Vaginal Engineer posted:To add to this, there's no reason to use public key crypto here, since peepsalot seems fairly confident that the key won't be able to be extracted from the device. The purpose of this effort would be: 1. If some hacker wants to read/disassemble my firmware, they're gonna have to crack open the device and get through the potting without damaging the circuit and probe some pins. I have no doubt a talented person could do such a thing, but I'm not going to just hand them firmware updates in plaintext. 2. Assuming they do get the plaintext firmware/key directly off the chip, they should still not be capable of creating any hacked version of the firmware that a default firmware would accept as an update(it needs to be signed). With symmetric keys, this would be trivial make hacked firmwares once they have the key and just share them over the internet for other users to install with a completely non-physically-invasive method. By the way this is a one-way communication. The embedded device is not communicating directly with any server to do any kind of handshaking. They have to download the firmware update file via PC, then load that onto the device via USB.
|
|
#
?
Apr 20, 2012 20:25
|
|
|
shrughes posted:Also, don't listen to what Scaevolus says. He does not yet have the fear of God in him. (Really his post is just adorable. He told you to "use AES".) Yeah I should have edited it and just quoted ShoulderDaemon.
|
|
#
?
Apr 20, 2012 21:25
|
|
|
peepsalot posted:Encrypt firmware using symmetric encryption and then use asymmetric encryption to sign the encrypted firmware. That way if someone does gain physical access to your chip then yes they can decrypt the firmware but they still can't create their own, because they won't have your private key and therefore can't produce a valid signature. And yeah, nth-ing everyone who has said don't roll your own. Find existing implementations of standard algorithms which will work on your platform and use those. Even if you try to implement, say, RSA yourself chances are there will be vulnerabilities you haven't thought of. Rolling your own custom algorithm from scratch wouldn't be a good idea, and anyone determined enough to break into your chip in the manner you've suggested would probably be able to break it or know someone who could.
|
|
#
?
Apr 20, 2012 23:39
|
|
|
rolleyes posted:Encrypt firmware using symmetric encryption and then use asymmetric encryption to sign the encrypted firmware. That way if someone does gain physical access to your chip then yes they can decrypt the firmware but they still can't create their own, because they won't have your private key and therefore can't produce a valid signature. I am seriously crying over here, so I'm going to go on a little rant. You shouldn't "encrypt firmware using symmetric encryption and then use asymmetric encryption to sign the encrypted firmware." That is, as it happens, underspecified and almost certainly insecure. At the very least, you need to be worry about proper IV management, appropriate padding (both generating it and checking it), and for this case you probably have the encryption and signing steps backwards. And while it's admirable to want to learn about cryptography, I'm going to quote shrughes, "If you were told why, you'd feel more confident about rolling your own crypto, so let's not go there." The appropriate place to learn the details of why your protocol doesn't work is a university class or a directed discussion with a group of professional cryptographers. Even then, whatever protocol you settle on is likely to be insecure. I've done this sort of protocol design a lot, and I wouldn't trust anything I wrote until I'd thought about it for a month and had at least 3 or 4 other professional cryptographers I trust do the same. Not a single cryptographer I know would claim to be able to make a secure sign-and-encrypt protocol on their own, without cribbing from some existing protocol like CMS. Designing secure cryptographic protocols is really incredibly hard, and it's extremely easy to make very subtle mistakes. DON'T DESIGN YOUR OWN CRYPTOGRAPHIC PROTOCOLS! If you want to share public keys, use X.509. If you want to share encrypted or signed messages, use CMS or PKCS#7 or S/MIME. If you want to have a live conversation, use TLS or SSL. If you want to have distributed trust, use OpenPGP. All of these protocols are well-studied, have free open-source implementations, and cover a huge space of usecases. In the incredibly unlikely event that none of them do what you want, you are probably best off actually hiring a cryptographer to professionally design a protocol for you and arrange for it to be audited by reliable members of the community. And honestly, even if you "don't care" if your application is "really secure", it's still easier to just say "oh, this encrypted data is PKCS#7, see the RFC and use OpenSSL" instead of having to muck about with the details. Anyone who has to interoperate with your code will thank you. Anyone who uses your code and cares about security will thank you. Anyone who has to use your code years after you've abandoned it and wants to upgrade it to a modern cipher suite will thank you. Just use the standard protocols, it's easier for everyone involved. "Don't roll your own" is about protocols far more than it is about cipher algorithms. With the algorithms, if you write your own you can at least check your results against well-known implementations very easily and, barring timing attacks and other side channels, be reasonably confident that you've done a good job. With protocols, there's literally no way that an amateur can look at their own work and determine if they've done a good job. Incredibly crappy protocols look identical to secure protocols in the eyes of an amateur. In many cases, amateurs will think a weak protocol is "more elegant" or "simpler" than a secure protocol and have no idea that the secure protocol was built that way for a very good reason. Seriously, people, don't do your own crypto. Please.
|
|
#
?
Apr 21, 2012 01:33
|
|
|
Hammerite posted:I am not sure you understand how setting timeouts works. If you want to set something up to happen in 5 seconds, say, then you create a timeout using setTimeout (specifying a time of 5000 milliseconds) and then you allow your function (the function in which you used setTimeout) to run to completion. When the timeout has run its course, your function will get called, spontaneously, by the JavaScript engine. Thanks! So are you effectively queuing up animation functions with doTimeout and incrementing animationStep? The timeoutHandler executes the necessary code after each timeout delay, but the original code from the button press has already completed.
|
|
#
?
Apr 21, 2012 11:22
|
|
|
gwar3k1 posted:Thanks! So are you effectively queuing up animation functions with doTimeout and incrementing animationStep? The timeoutHandler executes the necessary code after each timeout delay, but the original code from the button press has already completed. Yes. Depending on what stage in the animation the document is in. It's a while since I wrote it, but basically timeoutHandler() is the function that controls the state of the document and makes sure that things happen "in the right order". I just realised (and I don't know why I didn't realise it before, I'm honestly not trying to show off) that I actually have a much simpler example of the use of timeouts, that would have been much more appropriate to link you to: (albeit "intervals" rather than "timeouts") http://orderofthehammer.com/redirect.js This allows the creation of a page that redirects the user after a countdown. Every second the counter in the page body text and the counter in the page title are decremented, and when they reach zero a thing happens. redirect_begin() is supposed to be called once the page loads. See how the last thing that happens is that it calls setInterval(), and then it gives up control to the JavaScript engine. The JavaScript engine does its job and calls redirect_countdown() every second afterwards, until it is told to stop by code in the conditional block within redirect_countdown().
|
|
#
?
Apr 21, 2012 17:20
|
|
|
ShoulderDaemon posted:I am seriously crying over here, so I'm going to go on a little rant. It's ok,  , we've all been there.quote:Seriously, people, don't do your own crypto. Please. I've had 'GPG for data at rest. TLS for data in motion' drilled into my head for a while.
|
|
#
?
Apr 21, 2012 18:19
|
|
|
tef posted:It's ok, Thanks. It's just sort of infuriating to see people say "don't do your own crypto" and then immediately proceed to do their own crypto. tef posted:I've had 'GPG for data at rest. TLS for data in motion' drilled into my head for a while. That's an excellent rule for common use. The only real complaint I have with OpenPGP is that the common implementation of it (GPG) doesn't exist on a lot of constrained or embedded platforms, and is harder to interoperate with than it really should be. CMS and PKCS#7 are equally good for "data at rest" if you don't need the distributed trust web that OpenPGP provides, and have high-quality implementations in OpenSSL and from many other vendors like Microsoft and Oracle, which makes them much simpler to use for many users.
|
|
#
?
Apr 21, 2012 18:40
|
|
|
What is a good strategy for creating tests for pieces of software that you have written? I created a script to test out the functionality of a small piece of software I wrote for my own use. In the process of writing and running the tests I actually found and fixed a few bugs that I did not know were in the code, as well as making one or two tweaks to functionality. This of course is quite gratifying, because it means that the code is closer to being free of bugs and that the time spent doing the testing has paid off, but the tests (now all passing) are just what I thought up, just a few experiments that seek to test that various possible eventualities are handled correctly. What if there are still loads of bugs I didn't think of?
|
|
#
?
Apr 21, 2012 19:51
|
|
|
Take off your dev hat and start trying to break your own code. Do stupid poo poo. Stuff that makes no sense. When you manage to do something you shouldn't be able to do, there's your next test to write. There will be loads of bugs you didn't think of. That's what other people are for. And other people can include you one year later. I don't know if this is a good strategy but it's what's worked best for me so far. It's hard because I know how the code's supposed to be used. Purposely abusing it can be difficult.
|
|
#
?
Apr 21, 2012 20:25
|
|
|
If you just want to test a single function, fuzz testing can be good. Like, if you want to test a sort() function, generate random lists, run them through sort(), and verify that they're sorted.
|
|
#
?
Apr 21, 2012 20:34
|
|
|
Hammerite posted:What if there are still loads of bugs I didn't think of? There are normally loads of bugs you didn't think of. Testing cannot prove the absence of bugs, only their existence. Fuzzing is a good approach, and depending on your language, you may be able to use a QuickCheck like approach - http://en.wikipedia.org/wiki/QuickCheck - in which you specify the properties, and it generates a whole slew of test cases automatically.
|
|
#
?
Apr 21, 2012 21:25
|
|
|
yaoi prophet posted:If you just want to test a single function, fuzz testing can be good. Like, if you want to test a sort() function, generate random lists, run them through sort(), and verify that they're sorted. It's a class. Although I made it for my own use, I uploaded it here.
|
|
#
?
Apr 21, 2012 23:23
|
|
|
Hammerite posted:What is a good strategy for creating tests for pieces of software that you have written? Huge books have been written about sound testing, but the basic approach is to start thinking like an extreme pessimist and/or mathematician. Assume that every user of your code knows every line and exactly how to break it and is deliberately trying to break it. Get into the mindset that if a function or script doesn't return the correct result (or fail with the correct error) for every possible combination of inputs, it doesn't work. Then start thinking about edge cases. "What if the program I'm trying to run is literally called %PATH%.exe?" After a while you will start to see aspects of parts of your program which make it easier or harder to test confidently. At that point, you can start writing future programs to be testable, making all of the above easier.
|
|
#
?
Apr 21, 2012 23:32
|
|
|
Regression tests are another good test category: every time you find a bug, you write a test to make sure that the bug doesn't come back when you make a fix. This is a natural way to grow tests over time, and be surer about the correctness of your code. If your code isn't testable (not all code is), maybe you should refactor it a bit before attempting to test it. If you have a lot of responsibilities in one method (a view that might do some validation on an incoming form, create a model, sends out an email and renders a template) in one method or class, consider breaking each responsibility into its own method so that each part can be tested correctly when given appropriate input. You might split off the email-generating code, it gets passed the created model and the current user's email address, and the test would be to make sure that the correct email is generated.
|
|
#
?
Apr 22, 2012 00:04
|
|
|
Stupid CUDA question here... If you buy a video card that advertises [x] CUDA processors, do you have all of those processors available to you, or do you have fewer when it is trying to display video as well? My instinct says the latter, but I'm completely new to it. Thanks.
|
|
#
?
Apr 22, 2012 21:46
|
|
|
Say I wanted to look at specific incoming packets, and use them in a program, how would I go about catching the packets and figuring out what's what? For example, say I wanted to make a program that could intercept the packet on Steam that tells when someone is typing to you, and display a notification to me. Is this possible? I'm clouded almost completely in regards to packets and networking, so I want to know about stuff like this, because I find it intriguing!
|
|
#
?
Apr 23, 2012 05:09
|
|
|
Jewel posted:Say I wanted to look at specific incoming packets, and use them in a program, how would I go about catching the packets and figuring out what's what? The standard packet capturing library is called pcap. pcap has been ported to the Windows socket APIs, and it's appropriately named WinPcap. All it does is capture the raw bytes send by your ethernet card, and gives you an API to grab them. Programs like Wireshark can take these packets, dump them to files, or interpret them in certain ways (it can recognize an HTTP header and mark something as an "HTTP packet"). Jewel posted:For example, say I wanted to make a program that could intercept the packet on Steam that tells when someone is typing to you, and display a notification to me. Is this possible? I'm clouded almost completely in regards to packets and networking, so I want to know about stuff like this, because I find it intriguing! Any packet intercepting program would have to run as an administrator, because of the securities that Windows (and other operating systems) have in place. Note that a lot of the Steam APIs have already been reverse engineered. Open Steamworks was clean-room reverse engineered, and gives you access to the "Steamworks API" without buying it from Valve. It might be easier to use the Steam Friends API in OpenSteamworks rather than using a packet scraper.
|
|
#
?
Apr 23, 2012 05:28
|
|
|
Jewel posted:Say I wanted to look at specific incoming packets, and use them in a program, how would I go about catching the packets and figuring out what's what? I'm unsure if this was your intention, but this is the best example of the x-y problem i've seen in a while.
|
|
#
?
Apr 23, 2012 14:10
|
|
|
tef posted:I'm unsure if this was your intention, but this is the best example of the x-y problem i've seen in a while. Well yeah, I guess~ I just don't know exactly the terminology nor what I was supposed to be looking for, so I asked in a vague way! Also it wasn't just for steam, I wanted to know if there was an easy way to intercept packets in general for lotsa stuff, steam was just the current example!
|
|
#
?
Apr 23, 2012 14:55
|
|
|
It's ok, I just like the idea of trying to interface with steam by packet sniffing 
|
|
#
?
Apr 23, 2012 15:38
|
|
|
I'm probably being retarded, but how can I rename a set of files, keeping just the first three characters and deleting everything else? My attempts using cut and sed and regex all result in failure 
|
|
#
?
Apr 23, 2012 17:32
|
|
|
LittleBob posted:I'm probably being retarded, but how can I rename a set of files, keeping just the first three characters and deleting everything else? rename '$_ = substr $_, 0, 3' * You should probably run it with -n first before you run it for real. Depending on your system, the rename command might be called prename.
|
|
#
?
Apr 23, 2012 17:35
|
|
|
LittleBob posted:I'm probably being retarded, but how can I rename a set of files, keeping just the first three characters and deleting everything else? I don't know how to answer your question. But you have considered the possibility that the truncated names will include duplicates, right? For example two files might be named readme.txt and really-big-wieners.jpg. You might need to be more clear what you want to happen if a duplicate filename arises (do you want to destructively overwrite the old file, or...?)
|
|
#
?
Apr 23, 2012 17:40
|
|
|
Hammerite posted:What is a good strategy for creating tests for pieces of software that you have written? I created a script to test out the functionality of a small piece of software I wrote for my own use. In the process of writing and running the tests I actually found and fixed a few bugs that I did not know were in the code, as well as making one or two tweaks to functionality. This of course is quite gratifying, because it means that the code is closer to being free of bugs and that the time spent doing the testing has paid off, but the tests (now all passing) are just what I thought up, just a few experiments that seek to test that various possible eventualities are handled correctly. What if there are still loads of bugs I didn't think of? 1. Write enough tests to try to touch as many code paths as possible. So think of your program and all the if's and else's and whatnot, and try to hit them all across different tests. 2. Document your functions and classes--or whatever is in your language. Sometimes you find out while documenting that what you're trying to say it does doesn't jibe up with how you recall you wrote it. 3. Use mock helpers to further explore the code and generate dummy sequences so you can test interaction. 4. Have the mock helpers deliberately and tactfully fall on their asses to test error recovery. 5. Resource management: Verify setup and especially cleanup. Files should be closed and memory should be freed. It is not enough that the main outcome was completed. You should not have secondary artifacts. Think of it as "if I stopped using this resource then I should prove I really did stop using it." 6. Load testing. If it can do it once, and it can do it twice, try a thousand times. Try it with slightly different sets. 7. Input. Verify internal state matches input files. 8. Evil testing. As mentioned later. IMO after doing the rest you start to fill your mind with an increasing, vicious despair and can start putting your code on its rear end with only a little effort. It's hard to think that way at first but after you've been there and done that with the rest it'll be a casual experience.
|
|
#
?
Apr 23, 2012 20:02
|
|
|
I'm writing my first registration page/database in HTML, PHP and SQL, using phpMyAdmin as a database interface. I'm looking for a resource I can use to check the database to make sure the user's username and email address are authentic, so the user can't create an account with a username/email address that already exists inside the database. I don't even know ware to start. I'm assuming I have to write an SQL query to do this? I'm trying to stay away from tutorials on how to create a user account system, because I'd rather grunt it out the hard way and have the information actually stick.
|
|
#
?
Apr 23, 2012 20:42
|
|
|
Yes, you'll want to SELECT a row from where you keep your users and see if there's any with that email and password. If there's no rows, you're in good shape to make a new user. If there's one row, they're already registered. If there's more than one, you've got problems!
|
|
#
?
Apr 23, 2012 20:45
|
|
|
rt4 posted:If there's more than one, you've got problems!  There should never be more than 1 unique entry in your table if that's the intended logic. Two users can submit the form at the same time with the same username, and the select query will return that there are no users with that username to both of them, then proceed to insert them. Validations are good but it's not enough as you are open to race conditions like the one I just pointed out. You still need to enforce that the database only inserts unique entries by setting a Unique constraint on the columns. code:
|
|
#
?
Apr 23, 2012 20:54
|
|
|
MEAT TREAT posted:
Yes, get the database to help you where it can. Use uniqueness constraints. Use foreign keys. Use transactions. If you are using MySQL, put it in traditional mode.
|
|
#
?
Apr 23, 2012 21:28
|
|
|
|
| # ? Jun 8, 2024 13:33 |
|
|
Jewel posted:Well yeah, I guess~ I just don't know exactly the terminology nor what I was supposed to be looking for, so I asked in a vague way! Also it wasn't just for steam, I wanted to know if there was an easy way to intercept packets in general for lotsa stuff, steam was just the current example! code:And as a note, this example is purely read-only, you won't be able to craft your own data to send messages or anything like that (and you're probably better off using the Steamworks API if that is necessary, as someone above mentioned). Edit; writing this made me realise intellisense is broken in my vs11 install, and that I am literally unable to do the simplest things without it. The Gripper fucked around with this message at 22:40 on Apr 23, 2012 |
|
#
?
Apr 23, 2012 22:20
|
|
