|
Shumagorath posted:Our company's basic screening test has applicants write a modified version of strcmp(). This week, someone submitted some code that just took the two strings and summed their ASCII values char-by-char and made the final comparison based on that. Well clearly it's a probabilistic version of strcmp().
|
# ? Aug 1, 2010 22:24 |
|
|
# ? Jun 3, 2024 12:00 |
|
Shumagorath posted:Our company's basic screening test has applicants write a modified version of strcmp(). This week, someone submitted some code that just took the two strings and summed their ASCII values char-by-char and made the final comparison based on that. Pretty standard stuff there honestly. As in I see it all the time.
|
# ? Aug 2, 2010 16:26 |
|
It would work for reasonably short strings (or if you have reasonably big integers) if you multiply each n'th character's value by 256 to the n'th power.
|
# ? Aug 2, 2010 20:05 |
|
Vanadium posted:It would work for reasonably short strings (or if you have reasonably big integers) if you multiply each n'th character's value by 256 to the n'th power. How is this any better then doing a comparison returning -1, 0, 1 on first difference unless I'm using something special that allows me to roll that up in one instruction?
|
# ? Aug 2, 2010 20:15 |
|
Well it is more exciting
|
# ? Aug 2, 2010 20:34 |
|
They'll need a bigint class for that, they could implement it as a char array, they'll just have to implement integer comparison.
|
# ? Aug 2, 2010 21:35 |
|
Our e-commerce app allows people to delete their order record information out of the table, just a click of a mouse away and "DELETE FROM ORDER WHERE id=?" gets run. It's not archived anywhere or anything. I just had to piece together a guy's cart from weblogs.
|
# ? Aug 2, 2010 21:39 |
|
shrughes posted:They'll need a bigint class for that, they could implement it as a char array, they'll just have to implement integer comparison. Luckily, we already have a function for that, or so goes the intuitionistic introduction to recursion.
|
# ? Aug 2, 2010 21:44 |
|
code:
|
# ? Aug 2, 2010 23:37 |
|
Hmm, there seems to be a case missing…
|
# ? Aug 2, 2010 23:58 |
|
Mustach posted:Hmm, there seems to be a case missing… What case is missing? Obviously you can't sort with this, since it returns 0 or 1 instead of -1, 0, 1, but other than that what's wrong?
|
# ? Aug 3, 2010 00:39 |
|
Ugg boots posted:What case is missing? FileNotFound
|
# ? Aug 3, 2010 00:45 |
|
A A 2 3 5 8 K posted:FileNotFound
|
# ? Aug 3, 2010 01:01 |
|
Granted, it's for the boot loader, and only ever used for equality, but why call it strcmp and use strcmp's inverted return convention? And then why not go the extra tiny step further and actually implement strcmp?
|
# ? Aug 3, 2010 02:36 |
|
The real horror is using strcmp in the first place. strncmp is far safer.HFX posted:How is this any better then doing a comparison returning -1, 0, 1 on first difference unless I'm using something special that allows me to roll that up in one instruction? Comparison functions shouldn't return on first difference to avoid timing attacks on password comparison.
|
# ? Aug 3, 2010 04:38 |
|
Spazmo posted:Comparison functions shouldn't return on first difference to avoid timing attacks on password comparison. You shoudn't store plaintext passwords anyway?
|
# ? Aug 3, 2010 05:12 |
|
pseudorandom name posted:Granted, it's for the boot loader, and only ever used for equality, but why call it strcmp and use strcmp's inverted return convention? And then why not go the extra tiny step further and actually implement strcmp? It actually is buggy, but this was not discovered until somebody examined the source code because it was never compiled.
|
# ? Aug 3, 2010 05:37 |
|
pseudorandom name posted:
|
# ? Aug 3, 2010 05:53 |
|
Spazmo posted:
Reminds me of a hilarious attack vector mentioned in: Butler Lampson's "Hints for computer system design" --- http://research.microsoft.com/en-us/um/people/blampson/33-Hints/Acrobat.pdf --- see at page 5, starting from "Another example".
|
# ? Aug 3, 2010 05:56 |
|
Wheany posted:You shoudn't store plaintext passwords anyway? You shouldn't store passwords in plaintext or non salted non block level password schemes. Anyway who cares. HFX fucked around with this message at 07:55 on Aug 3, 2010 |
# ? Aug 3, 2010 07:52 |
|
Spazmo posted:The real horror is using strcmp in the first place. strncmp is far safer. If you know that at least one of the strings are valid (eg it's a string constant), strcmp is just as safe as strncmp.
|
# ? Aug 3, 2010 08:46 |
|
Shumagorath posted:How much of this is useful pointer math and how much would be compiled to the exact same thing if written much clearer? Maybe it's late and just a bad time to do pointer arithmetic.
|
# ? Aug 3, 2010 09:16 |
|
mjau posted:If you know that at least one of the strings are valid (eg it's a string constant), strcmp is just as safe as strncmp. Both strings need to be valid unless (1) you are guaranteed that the possibly-invalid string, if invalid, has at least as many meaningful characters as the valid one or (2) you don't mind reading past the end of a string and either getting garbage results or crashing. Also, there are very few excuses in this day and age to be using a string representation that doesn't pass around the string length.
|
# ? Aug 3, 2010 09:41 |
|
rjmccall posted:Both strings need to be valid unless (1) you are guaranteed that the possibly-invalid string, if invalid, has at least as many meaningful characters as the valid one or (2) you don't mind reading past the end of a string and either getting garbage results or crashing. quote:Also, there are very few excuses in this day and age to be using a string representation that doesn't pass around the string length.
|
# ? Aug 3, 2010 10:48 |
|
HFX posted:You shouldn't store passwords in plaintext or non salted non block level password schemes. Anyway who cares. Well I care in the sense that if your password system would be vulnerable to strcmp timing attacks, you are already doing it wrong. I just wasn't sure if I missed a joke
|
# ? Aug 3, 2010 11:02 |
|
Spazmo posted:The real horror is using strcmp in the first place. strncmp is far safer. ... your default comparison function doesn't need to be written for cryptographic security, you have a special function to do that. You think the default strcmp should iterate over my 1 million char string just for funsies? And it further has dick-all to do with passwords, passwords should be hashed, it's for tokens and other such things that *are* plaintext.
|
# ? Aug 3, 2010 12:46 |
|
Wheany posted:Well I care in the sense that if your password system would be vulnerable to strcmp timing attacks, you are already doing it wrong. No you were doing it right. I was just adding onto what you say. Fundamentally, if you are using a scheme that is somehow broken by knowing the key length, you have bigger issues. Seriously, comparing full length is A level stupid especially when considering running on embedded platforms. Then again, you would not believe how many people I've met who store passwords in plain text in databases. Apparently using a MD5, SHA-X library is too hard to locate and find for such popular languages as C, Java, C#, etc. king_kilr posted:... your default comparison function doesn't need to be written for cryptographic security, you have a special function to do that. You think the default strcmp should iterate over my 1 million char string just for funsies? Thank you. HFX fucked around with this message at 16:29 on Aug 3, 2010 |
# ? Aug 3, 2010 16:22 |
|
HFX posted:Then again, you would not believe how many people I've met who store passwords in plain text in databases. Apparently using a MD5, SHA-X library is too hard to locate and find for such popular languages as C, Java, C#, etc. Uh, why should I learn some esoteric library that'll make my life miserable when I'm just going to write the password on a sticky under my keyboard?
|
# ? Aug 3, 2010 16:48 |
|
I'm not sure if this is a horror, but I'm pretty sure this is some redundant code here:code:
It returns as true. Every time. It's an if statement that is always going to be inherently true
|
# ? Aug 3, 2010 17:50 |
|
Rohaq posted:Why? This is Perl: $Attribute is a return from a hardcoded flat list of string values. $Attribute{$Attribute} is treating it like a hash. What happens if you attempt to check the value of an array element like a hash using the string it already contains as the key? Er, no. $Attribute refers to the scalar variable $Attribute. $Attribute{$Attribute} refers to the member of %Attribute (a completely different variable) indexed by the scalar stored in $Attribute.
|
# ? Aug 3, 2010 18:05 |
|
Zombywuf posted:Er, no.
|
# ? Aug 3, 2010 19:19 |
|
mjau posted:Well, sure, but strncmp won't help you there. If you just compare against a prefix of the known valid string, you'll get invalid results. Well, we're talking about strncmp and fixed-size buffers here. Using a single call to strncmp to determine semantic equality only works if you're limiting the number of characters of precision anyway. Otherwise, you need some sort of fallback if strncmp returns equal and one of the strings is longer than a single buffer.
|
# ? Aug 3, 2010 19:48 |
|
Rohaq posted:I'm not sure if this is a horror, but I'm pretty sure this is some redundant code here: Also you haven't needed to use & to call functions since Perl 4. Please say you're not using Perl 4.
|
# ? Aug 3, 2010 20:18 |
|
Rohaq posted:I'm not sure if this is a horror, but I'm pretty sure this is some redundant code here: loving murder whoever wrote this for not knowing what a template is anyways
|
# ? Aug 3, 2010 20:20 |
|
yaoi prophet posted:Also you haven't needed to use & to call functions since Perl 4. Please say you're not using Perl 4. edit: it only errors out if you're using use strict; without it, it doesn't do anything at all Dijkstracula fucked around with this message at 20:30 on Aug 3, 2010 |
# ? Aug 3, 2010 20:28 |
|
Dijkstracula posted:Technically, if you're omitting the parentheses to the function call (because TMTOWTDI), you have to include the & if the function call precedes its declaration. code:
|
# ? Aug 3, 2010 20:35 |
|
HFX posted:Then again, you would not believe how many people I've met who store passwords in plain text in databases. Apparently using a MD5, SHA-X library is too hard to locate and find for such popular languages as C, Java, C#, etc. And MD5, or SHA-X, would be the wrong things to use.
|
# ? Aug 3, 2010 23:53 |
|
yaoi prophet posted:
code:
Dijkstracula fucked around with this message at 01:51 on Aug 4, 2010 |
# ? Aug 4, 2010 01:46 |
|
shrughes posted:And MD5, or SHA-X, would be the wrong things to use. Back when the stock PHPBB (I think) installations used MD5 with no salt or anything for hashing passwords/session cookies I was administrating an underground hacking forum, and one of our rival forums realized that they can impersonate our users by using the same MD5 hash of that user from their database on our forums and then they'd have access as that user. What'd I do to fix this? MD5(MD5($password)) Also, I started keeping plaintext passwords in the database, too, so that when their members logged in to our forums we just had their password in plaintext, no middleman.
|
# ? Aug 4, 2010 01:47 |
|
|
# ? Jun 3, 2024 12:00 |
|
Ugg boots posted:Back when the stock PHPBB (I think) installations used MD5 with no salt or anything for hashing passwords/session cookies I was administrating an underground hacking forum, and one of our rival forums realized that they can impersonate our users by using the same MD5 hash of that user from their database on our forums and then they'd have access as that user. What? Where did they find the "MD5 of your password" field?
|
# ? Aug 4, 2010 01:55 |