|
canis minor posted:http://help.adobe.com/en_US/livecycle/11.0/DesignerScriptingRef/search.html?gsa=1&q=app Horror number two: redirecting to a different country's site when referrer is set. I followed a link, dammit, I want to go to the linked page!
|
# ? Aug 19, 2016 14:31 |
|
|
# ? Jun 8, 2024 23:25 |
|
canis minor posted:http://help.adobe.com/en_US/livecycle/11.0/DesignerScriptingRef/search.html?gsa=1&q=app am I supposed to be seeing it writing "LifeCycle" over and over again e: it stopped after about 100 LifeCycles
|
# ? Aug 19, 2016 14:39 |
My favorite part is the GET to googleapis every time a LifeCycle is added
|
|
# ? Aug 19, 2016 17:09 |
|
Absurd Alhazred posted:I'm not getting into specifics, but any time I try to do something new using the Windows API, I feel like it's been written by a hardware vendor. This is such a weird thing to say. First of all, the OS wasn't written in 2016. That should be a big clue for you. Second, if you're using C#, you can write a huge number of apps without directly calling any Windows APIs at all. And if you were wanting to use the NEW new API's, you can consume them in C# directly. So promoting C# for apps and also having OS APIs isn't a conflict.
|
# ? Aug 21, 2016 01:25 |
|
Yeah duh. It was written in 2014, get with the program
|
# ? Aug 23, 2016 15:21 |
|
Absurd Alhazred posted:It's 2016, you're the ones promoting C++ at the least, or C#/managed code more often than not; why the hell does your API read and write through pointers, giving me obtuse handles connecting to system objects I then have to keep around as parameters for future system calls? Windows, as a rule, doesn't provide utility libraries - there are utility libraries all over the place, but they're for Microsoft's private use, this way they can keep the public API minimalistic and stable while having a lot of freedom internally. There are very few exceptions to this, like the GDI+ C++ wrappers (which are in fact the official API, although GDI+ is a C API on the DLL boundary) and that general crypto library they added in Windows Vista
|
# ? Aug 23, 2016 15:52 |
|
"We should implement our own eliptical curve crypto and design our own hardware accelerator for it." What could go wrong?
|
# ? Aug 23, 2016 16:19 |
I think that even just discussing rolling your own crypto is a coding horror
|
|
# ? Aug 23, 2016 16:26 |
|
That's developer 101 poo poo right there, never ever roll your own crypto. Anyone that brings it up should be terminated on the spot. You can't even google the topic without getting a dozen links warning you not to try.
|
# ? Aug 23, 2016 16:45 |
|
But it will be more secure. You see, other crypto systems are known and open source, ours will be secret!
|
# ? Aug 23, 2016 17:08 |
|
ChickenWing posted:I think that even just discussing rolling your own crypto is a coding horror Yeah, when we did it for a class in university, the prof was really clear: "This assignment has you implement a cryptosystem as an exercise to make sure you understand the basics of how modern cryptosystems work; under no circumstances does this mean that you should ever code your own implementation of a cryptosystem for any real-world application."
|
# ? Aug 23, 2016 17:13 |
|
It will probably get assigned to me. I'm pretty drat good so don't fret. But really, yeah, bad idea. I talked to my manager and said all the usual problems, that I'm not qualified, and half-joked he was asking me to hang myself with an eliptical noose. "Who is? Ha ha! Don't worry kiddo!"
|
# ? Aug 23, 2016 17:20 |
|
xzzy posted:That's developer 101 poo poo right there, never ever roll your own crypto. Anyone that brings it up should be terminated on the spot. http://classicprogrammerpaintings.com/post/148027314949/we-rolled-our-own-crypto-pieter-bruegel-the
|
# ? Aug 23, 2016 17:24 |
|
https://bugs.chromium.org/p/chromium/issues/detail?id=393463 probably qualifies for this thread. Just send full Qt programs over the internet how can that be a bad idea?! Millions of Qt devs are clamoring for it!
|
# ? Aug 23, 2016 17:43 |
|
lol @ QML. Yes, just run thousands of JS expressions at 60FPS, and rendering and layout are blocked on them. Also, JS engines are totally optimized around starting it up from C++ and running one expression and then exiting really, really fast, right?
|
# ? Aug 23, 2016 18:34 |
|
never not homerolled crypto #yolo
|
# ? Aug 23, 2016 18:36 |
|
also lmao @ thinking crypto abstinence is effective. we should be teaching people how to think about cryptosystems robustly. there are a lot of people designing their own cryptosystem -- every single time you introduce GPG signing or even SHA256 hashing for integrity you're designing a cryptosystem -- you can totally use these things wrong, thinking they have magical properties, and i've seen it a lot.
|
# ? Aug 23, 2016 18:45 |
|
Enigma was good enough for hitler, it's good enough for your ad cookies
|
# ? Aug 23, 2016 18:49 |
|
Soricidus posted:Enigma was good enough for hitler, it's good enough for your ad cookies Enigma was good but in the end it couldn't Turing-compete.
|
# ? Aug 23, 2016 19:05 |
|
Suspicious Dish posted:also lmao @ thinking crypto abstinence is effective. The discussion is about writing your own crypto algorithms, for actual use. Noone is advocating for ignorance about cryptography. Of course people need to learn how to develop systems that use crypto algorithms; to learn how they work, and what their limitations are. Of course that might include implementing their own algorithms as a learning exercise.
|
# ? Aug 23, 2016 19:50 |
Testing horror (TestNG+Mockito): Run all tests in the project: one suite fails both tests. Run that suite: both tests pass Run each test individually: first test passes, second test fails. The best part was I was able to immediately guess which project team had made it
|
|
# ? Aug 23, 2016 21:10 |
|
I found that desire or willingness to implement crypto (to be actually used) is inversely proportional to crypto expertise.
|
# ? Aug 24, 2016 13:24 |
|
Beef posted:I found that desire or willingness to implement crypto (to be actually used) is inversely proportional to crypto expertise. i thank the blessed baby jesus every day that we have a entire dev team whose title is literally "security" and they spend all their time going to conferences, steeping themselves in research, pentesting their own poo poo, and reviewing everyone else's code.
|
# ? Aug 24, 2016 16:07 |
|
LeftistMuslimObama posted:i thank the blessed baby jesus every day that we have a entire dev team whose title is literally "security" and they spend all their time going to conferences, steeping themselves in research, pentesting their own poo poo, and reviewing everyone else's code. Heck of a lot better than our security team, who meet once a week and bicker about phrasing in policy documents. They're like congress but less effective.
|
# ? Aug 24, 2016 16:09 |
|
I just had a phone screen and when I got asked how much I knew about crypto, I said literally the only thing I knew about it was to not do it myself. The guy laughed and said "good answer" and we moved on and now I have a real interview so I guess he was satisfied?
|
# ? Aug 24, 2016 18:26 |
|
raminasi posted:I just had a phone screen and when I got asked how much I knew about crypto, I said literally the only thing I knew about it was to not do it myself. The guy laughed and said "good answer" and we moved on and now I have a real interview so I guess he was satisfied? Thats a good phone screen question. If they say anything other than "not doing it" you end it.
|
# ? Aug 24, 2016 20:43 |
|
necrotic posted:Thats a good phone screen question. If they say anything other than "not doing it" you end it. Is your goal to ensure that you only hire fresh grads? There's a hell of a difference between "don't roll your own crypto" and "it's impossible to know anything at all about crypto".
|
# ? Aug 24, 2016 22:56 |
|
You shouldn't roll your own crypto.
|
# ? Aug 24, 2016 23:21 |
|
Plorkyeran posted:Is your goal to ensure that you only hire fresh grads? There's a hell of a difference between "don't roll your own crypto" and "it's impossible to know anything at all about crypto". Good point... I've been targeting senior so I'm in that mindset. And we do not do crypto. To be fair it's not an immediate no but a good indicator for most folks.
|
# ? Aug 25, 2016 01:25 |
|
necrotic posted:Good point... I've been targeting senior so I'm in that mindset. And we do not do crypto. To be fair it's not an immediate no but a good indicator for most folks. Unless your entire job is writing a crypto library/toolset. And the position you're hiring for is a crypto expert that can help you get "to the next level" (whatever that may be). In that case, "don't roll your own" is obviously the wrong answer.
|
# ? Aug 25, 2016 03:42 |
|
Volguus posted:Unless your entire job is writing a crypto library/toolset. And the position you're hiring for is a crypto expert that can help you get "to the next level" (whatever that may be). In that case, "don't roll your own" is obviously the wrong answer. At that point the interview should be querying you on skills at deflecting questions from NSA spooks and perhaps your willingness to intentionally introduce vulnerabilities.
|
# ? Aug 25, 2016 03:50 |
|
Volguus posted:Unless your entire job is writing a crypto library/toolset. And the position you're hiring for is a crypto expert that can help you get "to the next level" (whatever that may be). In that case, "don't roll your own" is obviously the wrong answer. Pretty much my point, but I try to stay away from "never".
|
# ? Aug 25, 2016 03:56 |
|
xzzy posted:At that point the interview should be querying you on skills at deflecting questions from NSA spooks and perhaps your willingness to intentionally introduce vulnerabilities. One of the places I interviewed at recently spent a significant portion of their time querying how I would handle bullshit demands from the scientists they work with (e.g. "I demand you use this tool, because everyone we work with is using it" even if the tool is completely orthogonal to the work we do).
|
# ? Aug 25, 2016 04:20 |
|
A friend of mine in security says any machine that's had anything installed with CPAN should be considered compromised, the attacker just has to GPG sign their malware package with a throwaway key they put on the keyservers, a lot of package managers have the same issue and PiP was only somewhat fixed relatively recently. CPAN used to also allow you to define your own digest algorithm in a package, which is then used to verify the checksum you gave it, staggering. This is a direct result of roll-your-own security instead of just using RPM.
|
# ? Aug 25, 2016 04:21 |
|
darkpool posted:CPAN used to also allow you to define your own digest algorithm in a package, which is then used to verify the checksum you gave it, staggering. Ah yes, the "Are you a cop? You have to tell me if you're a cop" security model.
|
# ? Aug 25, 2016 04:25 |
|
darkpool posted:A friend of mine in security says any machine that's had anything installed with CPAN should be considered compromised, the attacker just has to GPG sign their malware package with a throwaway key they put on the keyservers, a lot of package managers have the same issue and PiP was only somewhat fixed relatively recently. except CPAN predates RPM by four years.
|
# ? Aug 25, 2016 04:33 |
|
Hughlander posted:except CPAN predates RPM by four years. Referring to package managers in general, not just CPAN. Also there's never a bad time to throw out your hand rolled security and replace it.
|
# ? Aug 25, 2016 04:43 |
|
They were probably hoping to get Perl 6 polished and shipped before tackling a redesign of cpan.
|
# ? Aug 25, 2016 05:19 |
|
darkpool posted:CPAN used to also allow you to define your own digest algorithm in a package, which is then used to verify the checksum you gave it, staggering. This is unsurprising considering that Perl is basically Calvinball: The Language. Why wouldn't the package manager be the same way?
|
# ? Aug 25, 2016 15:33 |
|
|
# ? Jun 8, 2024 23:25 |
|
e
xtal fucked around with this message at 01:26 on Aug 26, 2016 |
# ? Aug 25, 2016 18:07 |