Coding Horrors: You can gather all your technical debt into one easy framework!

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cavern of COBOL > Coding Horrors: You can gather all your technical debt into one easy framework!

«‹›1503 »

POKEMAN SAM: Jul 8, 2004

shrughes posted:

What? Where did they find the "MD5 of your password" field?

It was stored in your session cookie. Also this might've been IPB not PHPBB. The details are fuzzy.

# ? Aug 4, 2010 01:59

Adbot: ADBOT LOVES YOU

# ? May 14, 2024 11:34

Haystack: Jan 23, 2005

Ugg boots posted:

It was stored in your session cookie. Also this might've been IPB not PHPBB. The details are fuzzy.

Probably some varient of apache's AuthTkt, which stores a hashed user identifier in a cookie. Of course, you're supposed to use salt, for christs sake.

# ? Aug 4, 2010 03:08

Janitor Prime: Jan 22, 2004; PC LOAD LETTER

What da fuck does that mean; Fun Shoe

shrughes posted:

And MD5, or SHA-X, would be the wrong things to use.

Sadly it's not that big of a step up from plain text.

I've been using this neat Java library that applies the hash algorithm x times and uses salts.

http://www.jasypt.org/howtoencryptuserpasswords.html

# ? Aug 4, 2010 04:11

TOO SCSI FOR MY CAT: Oct 12, 2008; this is what happens when you take UI design away from engineers and give it to a bunch of hipster art student "designers"

For gently caress's sake, why can't people figure out password digests? Just use a decent-sized nonce and SHA-anything and all the computing power in the universe won't be able to break them.

Adding iterations won't do anything, especially not such a small number as 1000. If you're really worried about somebody with warehouse full of FPGAs trying to crack the user tables for your pokemon forums, use something nice and space-intensive like scrypt. Space-intensive algorithms are orders of magnitude more expensive to break than time-intensive algos.

TOO SCSI FOR MY CAT fucked around with this message at 03:46 on Aug 5, 2010

# ? Aug 4, 2010 05:55

tractor fanatic: Sep 9, 2005; Pillbug

What's the danger in storing passwords as plaintext? Is it that a user might use the same password for both their bank account and their anime forum account so someone getting access to the anime forum's database can get access to their bank account?

# ? Aug 4, 2010 06:36

TOO SCSI FOR MY CAT: Oct 12, 2008; this is what happens when you take UI design away from engineers and give it to a bunch of hipster art student "designers"

tractor fanatic posted:

What's the danger in storing passwords as plaintext? Is it that a user might use the same password for both their bank account and their anime forum account so someone getting access to the anime forum's database can get access to their bank account?

Yes

A surprisingly large number of people will use their email password on forums. If any passwords can be reversed from that forum's user table, attackers can test it against 1) the account's email contact and 2) accounts on other sites with the same username. Most sites allow "forgot my password" emails, so once an attacker enters your email it's all over.

TOO SCSI FOR MY CAT fucked around with this message at 07:03 on Aug 4, 2010

# ? Aug 4, 2010 07:01

JasonV: Dec 8, 2003

tractor fanatic posted:

What's the danger in storing passwords as plaintext? Is it that a user might use the same password for both their bank account and their anime forum account so someone getting access to the anime forum's database can get access to their bank account?

I think the sign up process for a web site should be along the lines of:

Please enter your e-mail address:
Please enter your password:
Enter password again:

[Please wait...]

For your convience, we have used your password to log into your facebook account and automatically signed you up for our Facebook group. Also, we have logged into your webmail account and set ourselves as a contact so our e-mails won't be marked as spam.

Thank-you.

# ? Aug 4, 2010 07:03

shrughes: Oct 11, 2008; (call/cc call/cc)

Janin posted:

Space-intensive algorithms are orders of magnitude more expensive to break than time-intensive algos.

Well, to be precise, spacetime-intensive algorithms.

# ? Aug 4, 2010 07:05

tractor fanatic: Sep 9, 2005; Pillbug

Janin posted:

Yes

A surprisingly large number of people will use their email password on forums. If any passwords can be reversed from that forum's user table, attackers can test it against 1) the account's email contact and 2) accounts on other sites with the same username. Most sites allow "forgot my password" emails, so once an attacker enters your email it's all over.

Is there then generally any protection from eavesdroppers stealing a password digest and gaining access to a user's anime forum account? That is, is there a unique session salt also sent along with the unique user salt?

# ? Aug 4, 2010 07:15

TOO SCSI FOR MY CAT: Oct 12, 2008; this is what happens when you take UI design away from engineers and give it to a bunch of hipster art student "designers"

shrughes posted:

Well, to be precise, spacetime-intensive algorithms.

if this is a joke then I apologize for the following spergout:

Time complexity is a measure of how many calculations must be performed to solve an algorithm. Space complexity is a measure of how many intermediate results must be stored at once to solve an algorithm.

Calculation engines (CPUs, GPUs, FPGAs) are relatively easy to make more powerful, by inventing smaller transistors, more efficient cooling mechanisms, and specialised circuits. It can be scaled easily by dividing the solution space and testing each subsection in parallel.

Consider this: you have a choice between making an algorithm take 1,000,000,000x more CPU time, or 1,000,000,000x more storage. Lets say it starts at 1ms and 100KiB.

Increased CPU means it will take 1000000 seconds, or about a week and a half, to break. This is easily parallelized -- with 100 devices, you can expect a crack in just under 3 hours. Stuff a warehouse full, and it's done in seconds.

Increased storage means it will take about 93GiB. You can't parallelize storage, so that's 93GiB **per device**.

tractor fanatic posted:

Is there then generally any protection from eavesdroppers stealing a password digest and gaining access to a user's anime forum account? That is, is there a unique session salt also sent along with the unique user salt?

Properly designed software never sends the user's password digest. What should happen is:

1. User opens the login screen. The login screen is encrypted, using TLS (aka HTTPS)
2. User enters password. This is sent, encrypted, to the server.
3. Server performs SHA1(server nonce + user nonce + submitted text), compares it to the stored digest, and either creates a session or refuses the login
4. The session ID is sent to the user, and is used for all further authentication when browsing.

If further browsing is unencrypted, then it's possible for an attacker to intercept the user's session ID and impersonate them. However, this requires either expensive technology or physical proximity to the victim. Furthermore, the user can end the attack by logging out (which deletes their session).

TOO SCSI FOR MY CAT fucked around with this message at 03:46 on Aug 5, 2010

# ? Aug 4, 2010 07:30

tractor fanatic: Sep 9, 2005; Pillbug

Janin posted:

Properly designed software never sends the user's password digest. What should happen is:

1. User opens the login screen. The login screen is encrypted, using TLS (aka HTTPS)
2. User enters password. This is sent, encrypted, to the server.
3. Server performs SHA1(server nonce + user nonce + submitted text), compares it to the stored digest, and either creates a session or refuses the login
4. The session ID is sent to the user, and is used for all further authentication when browsing.

If further browsing is unencrypted, then it's possible for an attacker to intercept the user's session ID and impersonate them. However, this requires either expensive technology or physical proximity to the victim. Furthermore, the user can end the attack by logging out (which deletes their session).

I see, thanks.

Also, I think by "space-time" he meant that the time complexity would have a factor at least a linear multiple of the space complexity, so that space complexity would create time complexity as well.

# ? Aug 4, 2010 07:56

shrughes: Oct 11, 2008; (call/cc call/cc)

Janin posted:

Consider this: you have a choice between making an algorithm take 1,000,000,000x more CPU time, or 1,000,000,000x more storage. Lets say it starts at 1ms and 100KiB.

Increased CPU means it will take 1000000 seconds, or about a week and a half, to break. This is easily parallelized -- with 100 devices, you can expect a crack in just under 3 hours. Stuff a warehouse full, and it's done in seconds.

Increased storage means it will take about 93GiB. You can't parallelize storage, so that's 93GiB **per device**.

So just expanding storage requirements, it takes 93GiB of storage, and 1ms, to break. That's very affordable.

The reason to expand in storage is because attacking a function in hardware can be much more efficient than computing it on a general purpose CPU, but if you require lots of space, the attacker has to use the same kind of general purpose memory that you use.

Edit: Specifically, it means the attacker can only use a fraction of his hardware for computation at any given time, instead of streaming everything through a pipeline.

shrughes fucked around with this message at 08:38 on Aug 4, 2010

# ? Aug 4, 2010 08:33

floWenoL: Oct 23, 2002

tractor fanatic posted:

Also, I think by "space-time" he meant that the time complexity would have a factor at least a linear multiple of the space complexity, so that space complexity would create time complexity as well.

This thread never fails to deliver.

# ? Aug 4, 2010 08:35

tractor fanatic: Sep 9, 2005; Pillbug

floWenoL posted:

This thread never fails to deliver.

welp, didn't think I'd be wrong about that, but I'm not a computer scientist. If the space complexity is say, n^2, wouldn't you need at least n^2 time to generate all the data you are storing?

# ? Aug 4, 2010 08:38

shrughes: Oct 11, 2008; (call/cc call/cc)

tractor fanatic posted:

welp, didn't think I'd be wrong about that, but I'm not a computer scientist. If the space complexity is say, n^2, wouldn't you need n^2 time to generate each datum you are storing?

Yes, but I just happened not to be referring to that effect, I was just referring to space * time, whatever the source of those values might be. Edit: also, you said "linear multiple" when you meant "constant multiple".. or something.

shrughes fucked around with this message at 08:43 on Aug 4, 2010

# ? Aug 4, 2010 08:39

tractor fanatic: Sep 9, 2005; Pillbug

shrughes posted:

Yes, but I just happened not to be referring to that effect, I was just referring to space * time, whatever the source of those values might be. Edit: also, you said "linear multiple" when you meant "constant multiple".. or something.

Yeah I should have just said, "time complexity is at least as big as space complexity".

# ? Aug 4, 2010 08:56

baquerd: Jul 2, 2007; by FactsAreUseless

Well, this directory exists so someone...

/sbcimp/run/perl/32-bit/old/do_not_delete/perl3/

Edit: I changed the do_not_delete to do_not_use, let's see who notices!

baquerd fucked around with this message at 10:19 on Aug 4, 2010

# ? Aug 4, 2010 10:14

HFX: Nov 29, 2004

shrughes posted:

And MD5, or SHA-X, would be the wrong things to use.

Wrong thing to use for what? You telling me my /etc/shadow is not in SHA 512 when it starts with $6$?

MD5 maybe weak, but it is still very usable. We can generate collisions for SHA1 but it is not trivial. Depending on risk level, it may still be exceptable?

Obviously, you need to salt the password properly so that the same password doesn't end up the same storage for all users.

I was leaving out actually sending the password which is where we would have to get into a DH key exchange.

HFX fucked around with this message at 19:06 on Aug 4, 2010

# ? Aug 4, 2010 17:55

shrughes: Oct 11, 2008; (call/cc call/cc)

HFX posted:

Wrong thing to use for what? You telling me my /etc/shadow is not in SHA 512 when it starts with $6$?

That's right. When it starts with $6$ the output consists of 5000 rounds of some unnecessarily baroque scheme that inputs the results from past rounds of computation into SHA-512.

# ? Aug 4, 2010 19:39

trex eaterofcadrs: Jun 17, 2005; My lack of understanding is only exceeded by my lack of concern.

Janin posted:

FGPA

You've used this acronym twice, but do you really mean FPGA or is it a new acronym?

# ? Aug 5, 2010 02:37

TOO SCSI FOR MY CAT: Oct 12, 2008; this is what happens when you take UI design away from engineers and give it to a bunch of hipster art student "designers"

TRex EaterofCars posted:

You've used this acronym twice, but do you really mean FPGA or is it a new acronym?

no, that's just me typoing, sorry. I mean FGP---loving drat it, FPGA

# ? Aug 5, 2010 03:45

TOO SCSI FOR MY CAT: Oct 12, 2008; this is what happens when you take UI design away from engineers and give it to a bunch of hipster art student "designers"

loving up more, quote is not edit; I am literally retarded IRL

# ? Aug 5, 2010 03:46

Sweeper: Nov 29, 2007; The Joe Buck of Posting; Dinosaur Gum

Janin posted:

no, that's just me typoing, sorry. I mean FGP---loving drat it, FPGA

read it as: Field-programmable gate array, so no worries anyway

# ? Aug 5, 2010 22:15

ymgve: Jan 2, 2004; Offensive Clock

Ban four letter acronyms now!

# ? Aug 5, 2010 22:24

Crazy RRRussian: Mar 5, 2010; by Fistgrrl

ymgve posted:

Ban four letter acronyms now!

Acronyms in variable/function/class names piss me off too. I would rather have verbose names that are very descriptive than have to remember particular shortening of it. Although there is something to be said about long names that are still loving confusing and too long.

# ? Aug 5, 2010 22:27

Jabor: Jul 16, 2010; #1 Loser at SpaceChem

Crazy RRRussian posted:

Acronyms in variable/function/class names piss me off too. I would rather have verbose names that are very descriptive than have to remember particular shortening of it. Although there is something to be said about long names that are still loving confusing and too long.

It really depends on the acronym, TBH. Certainly, I would hate to see a HyperTextMarkupLanguageParser class.

# ? Aug 6, 2010 01:47

tripwire: Nov 19, 2004; _{ghost flow}

Crazy RRRussian posted:

Although there is something to be said about long names that are still loving confusing and too long.

Java Babey!!!!

# ? Aug 6, 2010 02:26

Plorkyeran: Mar 22, 2007; To Escape The Shackles Of The Old Forums, We Must Reject The Tribal Negativity He Endorsed

I've never seen anything top the quicktime SDK for obfuscating verboseness:

code:

AudioStreamBasicDescription asbd;
qt_status = MovieAudioExtractionGetProperty(extract_ref, kQTPropertyClass_MovieAudioExtraction_Audio, kQTMovieAudioExtractionAudioPropertyID_AudioStreamBasicDescription, sizeof(asbd), &asbd, NULL);

# ? Aug 6, 2010 03:03

tripwire: Nov 19, 2004; _{ghost flow}

Those aren't even good or descriptive.

And one of the variables has the word Audio in it, twice.

Sorry, three times.

# ? Aug 6, 2010 03:55

BigRedDot: Mar 6, 2008

tripwire posted:

Those aren't even good or descriptive.

And one of the variables has the word Audio in it, twice.

Sorry, three times.

You gotta be sure.

# ? Aug 6, 2010 13:51

Crazy RRRussian: Mar 5, 2010; by Fistgrrl

tripwire posted:

Java Babey!!!!

To be fair, most of the naming convention for the standard java library are intuitive and strike good balance between too long and not descriptive at all.

Crazy RRRussian fucked around with this message at 05:04 on Aug 7, 2010

# ? Aug 7, 2010 04:54

blorpy: Jan 5, 2005

So it turns out that Cake Poker, a fairly major poker site, was using XOR encryption on everything and was found to have a couple of possible unaccounted for superusers on its site. When pressured about this issue, they advised players to make sure to only use wireless networks with WEP. :psyduck:

# ? Aug 12, 2010 02:14

Lysandus: Jun 21, 2010

Found this one today.

code:

    public boolean addModuleName( String moduleName )
    {
        boolean moduleNameAddedSuccessfully = false;
        
        if( _modules != null )
        {
            try
            {
                _modules.addElement( moduleName );
                moduleNameAddedSuccessfully = true;
            }
            catch( Exception addModuleNameException )
            {
                System.out.println( addModuleNameException.toString() );
            }
        }
        else
        {
            moduleNameAddedSuccessfully = false;
        }
        
        return moduleNameAddedSuccessfully;
    }

I can understand checking the vector to make sure it's not null, but the rest...

# ? Aug 12, 2010 15:43

Sprawl: Nov 21, 2005; I'm a huge retarded sperglord who can't spell, but Starfleet Dental would still take me and I love them for it!

I dont see how that's particularly bad i mean sure that shouldn't go live.

# ? Aug 12, 2010 18:27

dancavallaro: Sep 10, 2006; My title sucks

Sprawl posted:

I dont see how that's particularly bad i mean sure that shouldn't go live.

Sure it's not "bad", but it's still retarded. Vector.addElement shouldn't ever throw an exception. That method really should just be:

code:

public void addModuleName(String moduleName) {
   _modules.addElement(moduleName);
}

Or if there really is a possibility of _modules being null, and you really want it to return a boolean, then

code:

public boolean addModuleName(String moduleName) {
   if (_modules == null)
      return false;

   _modules.addElement(moduleName);
   return true;
}

# ? Aug 12, 2010 18:38

necrobobsledder: Mar 21, 2005; Lay down your soul to the gods rock 'n roll; Nap Ghost

BigRedDot posted:

You gotta be sure.

Almost looks like a library where the method names were automatically generated, actually.

Speaking of which, I had to integrate some stuff to a library where the methods names could change while the general boilerplate patterns were identical, and I did some analysis and found it's basically a query language in its idioms and dataflow model. Turns out it was taking a SQL database schema and generating methods according to the schema as it walked the tree and presented that to me as a client-side library. I had created a declarative language for query data to perform the integration, so basically here's what it did in the end:

1. I parse user inputs, which I defined as a declarative query language with hierarchical elements that looked a lot like CSS
2. I generate intermediate code to walk library and object graph of the API as compile-time validation (well, pre-processed because by definition it couldn't be compiled in our system - we had no choice but to do dynamic, but I could have easily converted to a compiled language)
3. Client-side library turns it into SOAP under the covers
4. Receiving server turns SOAP into its own intermediate language to move between a procedural library it exposed to a query language
5. Turned it into different SQL variants depending upon db backing

The language I wrote up is apparently the only one that can handle all cases of customizations to the database schema because it's dynamic, and almost everyone that uses the server-side software has custom Java code written by consultants at $250+ / hr because nobody hires full-time developers to do this poo poo in reality.

I've gotta get out of enterprise software somehow

# ? Aug 12, 2010 18:40

Sprawl: Nov 21, 2005; I'm a huge retarded sperglord who can't spell, but Starfleet Dental would still take me and I love them for it!

dancavallaro posted:

Sure it's not "bad", but it's still retarded. Vector.addElement shouldn't ever throw an exception. That method really should just be:
code:
public void addModuleName(String moduleName) {
   _modules.addElement(moduleName);
}
Or if there really is a possibility of _modules being null, and you really want it to return a boolean, then
code:
public boolean addModuleName(String moduleName) {
   if (_modules == null)
      return false;

   _modules.addElement(moduleName);
   return true;
}

Well the Vector could have a size limit a la.

code:

__modules = New Vector (4)

And if it was adding a 5th element it would error would it not? I imagine that would be the only other error you could encounter.

# ? Aug 12, 2010 18:45

dancavallaro: Sep 10, 2006; My title sucks

Sprawl posted:

Well the Vector could have a size limit a la.
code:
__modules = New Vector (4)
And if it was adding a 5th element it would error would it not? I imagine that would be the only other error you could encounter.

A Vector is a growable array. If you use the Vector(int) constructor, you're just specifying the initial capacity, but it will still grow if you add elements to it beyond that. Vector.addElement should never throw an exception.

# ? Aug 12, 2010 18:47

rjmccall: Sep 7, 2007; no worries friend; Fun Shoe

Technically it can if you run out of memory.

# ? Aug 12, 2010 18:52

Adbot: ADBOT LOVES YOU

# ? May 14, 2024 11:34

dancavallaro: Sep 10, 2006; My title sucks

rjmccall posted:

Technically it can if you run out of memory.

Don't tell that to whoever wrote that code, because he'll wrap every single line in his program with

code:

try {
   // everything!
} catch (OutOfMemoryError e) {

}

You never can be too careful!

# ? Aug 12, 2010 18:57

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cavern of COBOL > Coding Horrors: You can gather all your technical debt into one easy framework!

«‹›1503 »