|
Knyteguy posted:Hm so why is this so? Is there a name for this attack so I could do some research? I really like this kind of stuff. Thanks again. code:
Say password is 'hello_world'. Resulting data is: $password[0] = he $password[1] = ll $password[2] = o_ $password[3] = wo $password[4] = rl $password[5] = d $hash = sha1("he" . $salt . "ll")... You're throwing away the rest of the password.
|
# ? Mar 10, 2012 11:23 |
|
|
# ? Jun 4, 2024 20:51 |
|
hieronymus posted:Here is the problem: Thanks. I was under the impression (at least at the time) that str_split would split the password into 2 roughly equal parts. Lesson learned to read documentation next time . code:
Knyteguy fucked around with this message at 19:10 on Mar 10, 2012 |
# ? Mar 10, 2012 19:02 |
|
That's still terrible, because you're still using the same salt all the time.
|
# ? Mar 10, 2012 22:09 |
|
Knyteguy posted:
You need your salt to vary for every entry in the DB. I would use something (well I wouldn't try to do this myself, but if I were to do this), I'd use something like 'time of account creation' or 'time password changed' to do the salt. With the above a) If two people use the same password, the hash is the same b) You only need to generate one rainbow table.
|
# ? Mar 11, 2012 00:20 |
|
dancavallaro posted:That's still terrible, because you're still using the same salt all the time. quote:$saltSeed = mt_rand(); Would need to store the $saltSeed var into the database for login. If the site were to become very popular, and registration rate was great, there would be overlaps for the salt. I'm not sure how much of a security flaw this would be in the real world though. The amount of overlap per X users would also be adjustable with mt_getrandmax, or using pretty much any other randomization. Thanks again for the help, I may use this form in the future so it was prudent to tighten up the security. E^ Or even better. Knyteguy fucked around with this message at 01:07 on Mar 11, 2012 |
# ? Mar 11, 2012 00:44 |
|
Knyteguy posted:Would need to store the $saltSeed var into the database for login. If the site were to become very popular, and registration rate was great, there would be overlaps for the salt. I'm not sure how much of a security flaw this would be in the real world though. The amount of overlap per X users would also be adjustable with mt_getrandmax, or using pretty much any other randomization. This is still wrong, because you're still putting the user's password hash in the cookie to be used for auth. This is really no better than putting the plaintext password in the cookie -- if I am able to intercept a user's hash from their cookie, sure I can't use it to log in using the login form, but I can just as easily use it to get a session as that user by sticking it in the cookie. Intercepting usernames and password hashes from your users' cookies is trivial if your site has any XSS vulnerabilities, which is another reason you should be using a good framework which will make output escaping trivially easy. We could go back and forth like this for a loooong time. I'm not trying to make you feel bad -- this stuff is hard, and even people who are really good at this stuff can get it wrong. I hope you're starting to see why it's a terrible idea to try and implement security/crypto-related code yourself.
|
# ? Mar 12, 2012 23:09 |
|
What do the cool folks in this thread think of the quixey challenge?
|
# ? Mar 13, 2012 07:10 |
I have an in person interview with Netapp for an entry level Software Engineer position and I was wondering if anyone has interviewed with them for a similar position and what kind of questions they asked.
|
|
# ? Mar 15, 2012 02:21 |
|
Don Mega posted:I have an in person interview with Netapp for an entry level Software Engineer position and I was wondering if anyone has interviewed with them for a similar position and what kind of questions they asked. They asked me to implement a square root function, asked me "How would you grep for the string 'foobar' in a directory?" and asked details of virtual inheritance and constructor exception semantics.
|
# ? Mar 15, 2012 04:19 |
|
shrughes posted:They asked me to implement a square root function How did you do this? Did you just do the "close enough" upper/lower version or what?
|
# ? Mar 16, 2012 01:55 |
|
NovemberMike posted:How did you do this? Did you just do the "close enough" upper/lower version or what? They actually wanted the square root in terms of p-adic arithmetic, where p = 2.
|
# ? Mar 16, 2012 02:38 |
shrughes posted:They actually wanted the square root in terms of p-adic arithmetic, where p = 2. Don Mega fucked around with this message at 02:43 on Mar 16, 2012 |
|
# ? Mar 16, 2012 02:41 |
|
shrughes posted:They actually wanted the square root in terms of p-adic arithmetic, where p = 2. Did they give you the algorithm or was that something they expected you to know?
|
# ? Mar 16, 2012 03:48 |
|
Until just now I didn't realize that I have no idea how to go about actually calculating a square root, since no math class ever covered it and I've never needed it in a language where the standard library didn't have a sufficient implementation. I guess just binary searching for the root is always an option
|
# ? Mar 16, 2012 04:37 |
|
NovemberMike posted:Did they give you the algorithm or was that something they expected you to know? It's not like any competent programmer can't at least make some function that computes the square root of something to arbitrary precision.
|
# ? Mar 16, 2012 04:53 |
|
shrughes posted:It's not like any competent programmer can't at least make some function that computes the square root of something to arbitrary precision. Yeah, as long as you're just going to a finite precision it's pretty easy to get close enough just using a set of nested loops. I was just curious if they were expecting random mathematical knowledge for a generic programmer job or if you were hired with a Math PHD to design algorithms or if this was something you just randomly knew.
|
# ? Mar 16, 2012 06:45 |
|
NovemberMike posted:Yeah, as long as you're just going to a finite precision it's pretty easy to get close enough just using a set of nested loops. What. I was thinking more along the lines of guess and check binary search.
|
# ? Mar 16, 2012 08:48 |
|
I can think of very few positions where knowing the square root algorithm might actually be required. Excluding those positions, having to write a square root function is a pretty bullshit question to be asked during an interview. And usually when its a question where they're looking for the specific implementation they have in their head, and not whether you'd know of a general algorithm to get the answer. So unless you know the best algorithm, you're probably going to fail the question anyways. How does knowing a square root algorithm prove anything? That you either 1) memorized the algorithms in preparation that you'd get asked in the interview or 2) are pretty smart or maybe 3) loves math trivia. It's one of those questions that allows the interviewer to feel like Alex Trebek when the contestant answer something that is close but wrong, "Ooh I'm sorry, you did it in O(n^2) time? There's actually a better algorithm that gives it in O(n^1.5) time." It's pretty hard for a developer to go through his career doing good work without understanding some fundamental programming concepts, knowing the square root algorithm is not one of them. And if it weren't for the possibility that I may get asked the question in an interview I couldn't care less about knowing how to calculate a square root. When the field I'm in actually requires it or if for some reason I end up using a programming language that hasn't implemented it yet, well then I guess I'll just have to search for it on the Internet. Strong Sauce fucked around with this message at 09:52 on Mar 16, 2012 |
# ? Mar 16, 2012 09:48 |
|
An interview (a good one anyway) isn't an exam where you're getting marked right or wrong on each question and interviews are too short to ask questions that are genuinely relevant to the job so small programming puzzles are always going to be the order of the day. In this case, unless you're applying for a job at the maths factory, they are asking that question specifically because they don't expect you to have memorised the textbook solution and they want to see what you do when you're confronted with an unfamiliar problem. If you manage to put together "sqrt(n) falls between 1 and n" and "binary search!" to get a working solution under the pressure of an interview they're going to be plenty happy with you even though there are faster algorithms out there.
|
# ? Mar 16, 2012 12:25 |
|
How averse are companies to hiring programmers who aren't just out of college for entry level positions? I have a CS degree from a good CS university, but by the time I finished I didn't think I'd ever want to write another line of code. I've been getting back into it recently, and the field I actually work in is much less interesting and financially sustainable, so I've been thinking about entering the job market in a way I never actually did when I graduated (one phone interview with MS, a follow-up interview that was scheduled and then cancelled), but would like to know if it's at all feasible before I throw myself into it.
|
# ? Mar 16, 2012 13:15 |
|
I could be way off base but I don't think it's an offensive assumption that basic computing should probably be in a computer scientist's toolkit. Square root isn't exactly an obscure function. How would you feel if you had to write an algorithm to output (n!)? WHAT IF YOU HADN'T MEMORIZED IT??
|
# ? Mar 16, 2012 13:26 |
|
shrughes posted:What. I was thinking more along the lines of guess and check binary search. You can do it with 101 level knowledge using only a couple of loops. It's not going to be as efficient as a binary search but it will work reasonably well. I was just trying to think of whether you could do it without any advanced concepts and since you can it seems like a good interview question. quote:I could be way off base but I don't think it's an offensive assumption that basic computing should probably be in a computer scientist's toolkit. Square root isn't exactly an obscure function. It's not that it's something everyone should know, it's something that everyone should be able to figure out. NovemberMike fucked around with this message at 15:07 on Mar 16, 2012 |
# ? Mar 16, 2012 15:04 |
|
Maybe this isn't the best place to ask, but I'm mulling a job offer from a reasonably-sized tech company in Silicon Valley, and the vesting period for the stock options is 4 years. Does that sound reasonable? Career academic here so I don't really know what's standard.
|
# ? Mar 16, 2012 17:15 |
|
I have been following this thread recently. I see a lot of Goons in this thread asking about what it takes to find programming related work. I am bias, but I do think that a properly written and formatted resume can get you an interview for a job you may not have thought you were qualified for. I am offering a free basic resume critique to anyone interested in applying to a programming related job. I have been paid to write over 2000 resumes, most of which were IT related. Just send me an email with your resume to support@resumetointerviews.com. I also have a thread in the SA-Mart with over 2900 replies as evidence that my critique is worthwhile. If anyone wants specific advice in this thread, feel free to ask. As a full disclosure, I am offering this help as a way for me to spread the word about my resume writing service. I am being honest because Goons are very intelligent and pick up on B.S. in an instant. To redeem this one-time offer sign up at...just kidding. In all seriousness, I really am offering professional advice and expect nothing in return. Mods: If this is not kosher let me know and I will remove this post. R2ICustomerSupport fucked around with this message at 18:56 on Mar 16, 2012 |
# ? Mar 16, 2012 18:21 |
|
DustingDuvet posted:I am bias
|
# ? Mar 16, 2012 18:52 |
|
I just got let go from my 2-month old position at UCSD as a database/website developer, and I'm gearing up to begin applying for new jobs as soon as I wrap up some administrative loose ends. While both my direct boss and our mutual supervising professor were assured me there was nothing wrong with my abilities in pure programming, it turns out that a BS in CS from Caltech is very little preparation for dealing with for less theoretical tasks like web development, graphical design, project management, testing and development frameworks and methodologies, and so on. How should I go about learning how to work with these things?
|
# ? Mar 16, 2012 20:40 |
|
I don't know if this is the right thread for this kind of question, but it seemed like the most appropriate out of the currently active ones . . . I'm currently working an entry-level software engineer position in a corporate kind of place. It's not terrible but I'd like my next job to be a bit more interesting. I don't have a CS degree, I only managed to squeeze in a few classes before I graduated (in mechanical engineering if it matters). Besides this job, my handful of CS classes and one short lab job, I don't have much coding or CS experience. I've been trying to figure out what I can do over the next year or two that would be the most helpful (not that I'd stop trying to improve myself after a year, just need a place to start). I am just a bit overwhelmed by all the projects, languages and books I could be working on. Since I didn't major in CS, should I start with more fundamental stuff, like algorithm textbooks and SICP, or should I jump right into coding . . . something? What kinds of projects are good to start with? And I know it would be helpful if I already knew I wanted to enter a certain field like games or graphics or something, but I don't know that yet. I was hoping working on stuff would help me figure that out. Tl,dr: looking for advice on how to go from "can sort of stumble through coding a thing" to getting on the path to being a good developer.
|
# ? Mar 16, 2012 20:50 |
|
Zilla32167 posted:I just got let go from my 2-month old position at UCSD as a database/website developer, and I'm gearing up to begin applying for new jobs as soon as I wrap up some administrative loose ends. While both my direct boss and our mutual supervising professor were assured me there was nothing wrong with my abilities in pure programming, it turns out that a BS in CS from Caltech is very little preparation for dealing with for less theoretical tasks like web development, graphical design, project management, testing and development frameworks and methodologies, and so on. How should I go about learning how to work with these things?
|
# ? Mar 16, 2012 20:50 |
|
Zilla32167 posted:I just got let go from my 2-month old position at UCSD as a database/website developer, and I'm gearing up to begin applying for new jobs as soon as I wrap up some administrative loose ends. While both my direct boss and our mutual supervising professor were assured me there was nothing wrong with my abilities in pure programming, it turns out that a BS in CS from Caltech is very little preparation for dealing with for less theoretical tasks like web development, graphical design, project management, testing and development frameworks and methodologies, and so on. How should I go about learning how to work with these things? Sounds like that's a bullshit way of saying "you weren't a good enough programmer". All you can hope for when hiring a fresh grad is that they're not stupid and they can learn quickly. All of those things you listed (except graphic designer, what the gently caress?) are skills you pick up by working in the field.
|
# ? Mar 16, 2012 20:53 |
|
hieronymus posted:The best way is to get a job in a big company where incompetence is tolerated and survive for a year or two despite being thoroughly unqualified. Looks like I am doing at least one thing right then.
|
# ? Mar 16, 2012 20:53 |
|
HondaCivet posted:Tl,dr: looking for advice on how to go from "can sort of stumble through coding a thing" to getting on the path to being a good developer. You get better at programming by programming. Contribute to an open source project, or start your own.
|
# ? Mar 16, 2012 20:54 |
|
Ithaqua posted:Sounds like that's a bullshit way of saying "you weren't a good enough programmer". All you can hope for when hiring a fresh grad is that they're not stupid and they can learn quickly. All of those things you listed (except graphic designer, what the gently caress?) are skills you pick up by working in the field. To quote the exit interview, they were hoping I would have already started on coming up with and working on independent projects and acting as an equal coworker with my boss, and they needed someone who could teach all of the undergraduates they were going to bring on this summer. Turns out the parts of the job requirements they had assured me were irrelevant ( Adobe suite experience and so on ) were important after all. So it's more like programming was the only thing I was good enough with.
|
# ? Mar 16, 2012 21:05 |
|
Ithaqua posted:You get better at programming by programming. Contribute to an open source project, or start your own. Any advice on choosing one? There are so many and they are all over the place. Should I just go with one that looks interesting or is that not enough? Also how do you guys feel about (typically older) devs that whine about new software folks that learned on Java and didn't learn C, go through SICP during school, etc. Are they just bitching or would you recommend learning more non-practical stuff like that?
|
# ? Mar 16, 2012 21:13 |
|
quote:Also how do you guys feel about (typically older) devs that whine about new software folks that learned on Java and didn't learn C, go through SICP during school, etc. Are they just bitching or would you recommend learning more non-practical stuff like that? C is a good language to learn on because it introduces you to concepts like pointers and memory management that tend to be used in other languages but can be obfuscated. I'm also not a fan of people learning in Java because it overemphasizes OO design. That said it's not that important as long as you understand the language you're writing in. C isn't generally necessary unless you're doing hardware level stuff or performance critical stuff like 3d games.
|
# ? Mar 16, 2012 21:26 |
|
HondaCivet posted:Any advice on choosing one? There are so many and they are all over the place. Should I just go with one that looks interesting or is that not enough? Go to github or sourceforge or codeplex and look around until you see something that interests you and is in your language of choice. Play with it. Be aware that open source projects could be maintained by idiots who are doing everything wrong, but you'll still learn, even if it's by being given examples of how to do something in a lovely, bad way. I've worked with a few older guys (in their 40s, or even 50s and beyond), and here's the pattern I saw: The guys who complained about newer languages and programming methodologies sucked rear end at programming. It honestly doesn't matter what language you learned on, as long as you treat each new language you learn as a different beast with different ways of tackling problems. Also, I had to google "SICP" to even know what it was. Complaining, of course, is very different than the "back in my days we had to write our code in 1s and 0s, and sometimes we ran out of 0s and had to use cheeri-os instead!" anecdotes, which can be fun and enlightening.
|
# ? Mar 16, 2012 23:23 |
|
dancavallaro posted:This is still wrong, because you're still putting the user's password hash in the cookie to be used for auth. This is really no better than putting the plaintext password in the cookie -- if I am able to intercept a user's hash from their cookie, sure I can't use it to log in using the login form, but I can just as easily use it to get a session as that user by sticking it in the cookie. Intercepting usernames and password hashes from your users' cookies is trivial if your site has any XSS vulnerabilities, which is another reason you should be using a good framework which will make output escaping trivially easy. Ah well oh well, I decided to scrap it because it's a little more complex than I originally thought. On a good note, I have starting using the CodeIgniter framework per some advice in this thread, and it's pretty nice so far. I haven't had to worry about programming every little detail (although it's a pretty small website) so it's been running pretty smoothly. Here's my first project (which is still a work in progress) using CodeIgniter: http://d3spreadsheet.net/ Once I'm finished styling the site I'll be adding this to my portfolio. I also restructured my resume per the advice in the thread, and got rid of some fluff (advanced loops, etc). I sent the new resume to DustingDuvet above for a critique so perhaps with his advice I can land an entry level job somewhere in the field . Thanks again Goons, your knowledge has definitely given me some insight. P.S.: One quick question: when you submit your portfolio do you do this in your cover letter, or do you leave a link in your resume?
|
# ? Mar 17, 2012 02:49 |
|
HondaCivet posted:Any advice on choosing one? There are so many and they are all over the place. Should I just go with one that looks interesting or is that not enough? Maintainers for FOSS projects often don't have enough time to fix bugs, so if you go on the bug tracker and see something you think you can fix, get the source code, go digging, make a fix, test it and offer a patch then that's valuable experience, applicable to pretty much any project, you will have improved the project and you will most often get your name on a list of contributors, so if you get asked for experience you can point to the project. I would recommend against trying to fix bugs in too big or old a project as your first, even though they are usually the ones most in need of patches, because they often have dreadful codebases and unhelpful maintainers. If you want a specific project recommendation: I work with one of the XFCE maintainers, he hasn't had much time to do much with it so there is pretty much just one active developer right now.
|
# ? Mar 17, 2012 10:53 |
|
I just had a double session of phone screening with a software company, and they asked me a question that stumped me: "find the last 500 digits of 3^12345678" I knew that the solution had something to do with modding the exponent, but I couldn't really reason through it under pressure, and my interviewer did not offer much help, even after I admitted I wasn't familiar with the math. Is this kind of math needed for software dev? I could answer all the other coding questions (mergesort, recursion, etc.) without too much trouble. Keep in mind these were my first real interviews since I started college (I'm a freshman), so my perception of the field may be skewed.
|
# ? Mar 17, 2012 20:41 |
|
theratking posted:Is this kind of math needed for software dev? It depends. In general, no. In some fields, yes. If they aren't in a field where they need that kind of math and they're asking you that kind of question, it's just wanky bullshit. I wouldn't be able to answer it without looking it up. I wouldn't even be able to tell you how to start solving it.
|
# ? Mar 17, 2012 20:52 |
|
|
# ? Jun 4, 2024 20:51 |
|
theratking posted:Is this kind of math needed for software dev? I could answer all the other coding questions (mergesort, recursion, etc.) without too much trouble. Sometimes it's needed (but only if you do something stupid like writing your own cryptography). There are two parts to that question: recognizing that you can chop off intermediate results at 500 digits, and recognizing the potential need for a divide-and-conquer exponentiation algorithm. More precisely if somebody say something about a divide and conquer exponentiation algorithm they can ask what the overall performance is and then ask if that can be improved. Doesn't sound like a wank question to me. Edit: Really being familiar with the behavior and possibility of truncated multiplication is something computer science students should know, considering that's what CPU's do. So you should have all the knowledge needed to solve this problem. shrughes fucked around with this message at 22:11 on Mar 17, 2012 |
# ? Mar 17, 2012 22:05 |