|
Sounds like it's treating those IV values as characters. Is Base64 decoding to UTF-8 or something?
|
# ? Aug 5, 2012 03:09 |
|
|
# ? May 29, 2024 22:30 |
|
shrughes posted:It seems you get corruption on the Ruby side when the IV has characters 128 or higher. And it corresponds exactly to the position of the character. Whenever I see a problem involving 128, I start looking around everywhere I see ascii encoding if it involves encryption.
|
# ? Aug 5, 2012 03:14 |
|
Thanks for taking a look, it's comforting at least to know I'm probably not doing anything wildly incorrect. It's not really vital that I get this example working, I'm really more interested in seeing if I could get the general flow working. I have two follow up questions if you don't mind; Assuming I added some form of message authentication, would this be a reasonably secure method of passing a message? If I were to read a book on the subject, would you recommend Schneier's Applied Cryptography (which I understand used to be the gold standard but was last updated in 96), Handbook of Applied Cryptography, or something else?
|
# ? Aug 6, 2012 04:01 |
|
Lamont Cranston posted:If I were to read a book on the subject, would you recommend Schneier's Applied Cryptography (which I understand used to be the gold standard but was last updated in 96), Handbook of Applied Cryptography, or something else? I think the first book you should read on the subject is Cryptography Engineering. It's a pleasant read, one of the few technical books I could make it through easily. The reason Applied Cryptography is so looked down upon is that it doesn't focus on avoiding mistakes -- it says "Hey, here's all this neat stuff you can do, have fun," and then people who read the book end up making broken cryptographic applications. So much for the crypto-anarchist utopia.
|
# ? Aug 6, 2012 04:12 |
|
Lamont Cranston posted:Assuming I added some form of message authentication, would this be a reasonably secure method of passing a message? No, not even close. After 30 seconds of thought: aside from your complete lack of a MAC, your hash-of-DH-secret doesn't seem to be a particularly justified amplification of your key material. You have essentially no protection against replays or MITM. You haven't specified any kind of framing outside of CBC's very trivial padding. You aren't doing anything other than printing your messages to terminal, but you still manage to do so insecurely in that you are not catching and handling padding errors in the CBC stream. Oh, and you're allowing terminal escapes to go to the console without escaping, which is a potential mechanism for remote code execution, although it involves some luck on the part of the attacker with regard to your choice of terminal emulator. Please don't design your own cryptographic protocols with any expectation whatsoever of security. It's extremely hard to create secure protocols even with years of experience, and beyond foolhardy to do so by yourself without that experience and without input from multiple professional cryptographers. It's fine to play with the cryptographic primitives as a toy, but if you want actual security, you should almost certainly be using either TLS or OpenPGP. Lamont Cranston posted:If I were to read a book on the subject, would you recommend Schneier's Applied Cryptography (which I understand used to be the gold standard but was last updated in 96), Handbook of Applied Cryptography, or something else? Applied is a fine book for understanding the primitives. There is no book that will teach you secure protocol design; Ferguson/Schneier's Engineering as shrughes mentioned is probably a good introduction to the mindset, (I've seen it used as a classroom text) but personally I suggest trying a local university to get in touch with some professional cryptographers, and spending a few years immersing yourself in the community. Until you can take apart TLS and OpenPGP, you shouldn't expect to be able to build something that's secure. Even after that point, no-one with any experience in the field works alone, and you typically need a very good reason to avoid the well-studied common protocols. There are a lot of ways you can screw up cryptographic protocol design.
|
# ? Aug 6, 2012 04:38 |
|
Cool, thanks, I appreciate the insight! edit: And yeah, I definitely know I don't want to be designing my own cryptographic anything, which is why I was trying to stick with standard library functions; that's just my misunderstanding of primitives vs protocols (and all the more reason I should stay away until I know more). I have no interest whatsoever in designing my own protocol and if PGP will do what I want (it looks like it will) then that's probably all I need. Thanks again for the help. Lamont Cranston fucked around with this message at 05:38 on Aug 6, 2012 |
# ? Aug 6, 2012 05:02 |
|
This is more on the social side of things, but how should I pay taxes on earnings from selling my programs on a website/selling stuff for a webapp? I live in California.
|
# ? Aug 6, 2012 05:09 |
|
Lamont Cranston posted:edit: And yeah, I definitely know I don't want to be designing my own cryptographic anything, which is why I was trying to stick with standard library functions; that's just my misunderstanding of primitives vs protocols (and all the more reason I should stay away until I know more). Thanks again for the help. Standard library functions for crypto are essentially: ssl for data on the move, gpg for data at rest. The moment you start combining ciphers is the point where you're building a cryptographic system. Alarm bells should be going off. If You're Typing The Letters A-E-S Into Your Code, You're Doing It Wrong Lamont Cranston posted:Assuming I added some form of message authentication, would this be a reasonably secure method of passing a message? Depends on your threat model. Security is a relative term. You need to enumerate the attacks you expect upon the system, before you can evaluate the system's strength. Security without a threat model is one of the biggest warning signs, next to "military grade encryption", that the system is bunk. quote:If I were to read a book on the subject, would you recommend Schneier's Applied Cryptography (which I understand used to be the gold standard but was last updated in 96), Handbook of Applied Cryptography, or something else? Applied cryptography, is at best, a reference book for the state of cryptography more than a decade ago. Back then, you couldn't export code, but books were fine. Since then, the obstacles to sharing cryptography research have lessened, and there is a plethora of better material available. shrughes posted:I think the first book you should read on the subject is Cryptography Engineering. It's a pleasant read, one of the few technical books I could make it through easily. Additionally, "Security Engineering" by Ross Anderson is a good introduction to the field and mindset of security. People will say "Don't Write Your Own Crypto". They are right. Security is hard. However, that isn't to say that you can't understand it, or understand the various tradeoffs made with different protocols or systems. The key to understanding the effectiveness of a system is through the threat model. Security without a threat model is at best, akin to being blindfolded, but more normally a sign of snake-oil. If you read anything, What's Your Threat Model is *highly* recommended.
|
# ? Aug 6, 2012 05:36 |
|
tef posted:People will say "Don't Write Your Own Crypto". They are right. Security is hard. However, that isn't to say that you can't understand it, or understand the various tradeoffs made with different protocols or systems. The key to understanding the effectiveness of a system is through the threat model. Yeah, this is essentially what I'd like, to improve my understanding in this sort of area. This has been very helpful, thanks!
|
# ? Aug 6, 2012 05:53 |
|
Sinestro posted:This is more on the social side of things, but how should I pay taxes on earnings from selling my programs on a website/selling stuff for a webapp? I live in California. You want BFC's US Income Tax Questions Megathread Part 2
|
# ? Aug 6, 2012 17:49 |
|
So I've been toying around with some Imaging library that gives some relatively complex image / TWAIN manipulation features to .NET I went to go implement the ability to rotate something after they scan it in to the form, and I thought this was curious. The "RotateCommand" class has an Angle property, which is an integer and is measured as a hundredth of a degree so instead of passing it 30 you pass it 3000... What's the point in doing that instead of just having a decimal value?
|
# ? Aug 6, 2012 21:51 |
|
Because decimals can be given in precisions other than hundredths of a degree. If they let the caller use a decimal, what would the rounding semantics be? When they specify it in an integer, there's no confusion. Plus floating-point numbers can wind up rounded due to the way they are stored, while integers aren't.
|
# ? Aug 6, 2012 22:05 |
|
Twain defines a fixed-point decimal TW_FIX32 but yeah, they probably wanted to limit the fraction to 2 decimal digits. Actually ICAP_ROTATION uses TW_FIX32 so you have a weird API or something.
|
# ? Aug 7, 2012 00:01 |
|
I am an idiot trying to teach myself programming. I've started with Python and I figured it would not be a terrible idea to try to code different sorting algorithms from scratch. I've already wrestled with and failed at quicksort and have since updated it with a sane algorithm from a "quicksort python" google search My next effort was heapsort. I looked up binary trees on wikipedia and I now have a basic idea of how they work and how to encode them in an array, but that's as far as I have got. http://pastebin.com/yJ2R6e6M The idea is that you add an element to the end of the array, and then go backwards through the array, making sure that each node's parent satisfies the min-heap property. My heapsort kind of works, but it doesn't, because it takes loving years for it to sort any array more than a few thousand elements long. This probably belongs in the coding horrors thread, but if you could point out where I've hosed up in my buildheap function I'd be much obliged.
|
# ? Aug 7, 2012 16:40 |
|
There are a lot of problems. Let's start with verifyparent. That function should not be recursive. You have a loop and then in the middle of the loop you call the function recursively. Something is wrong there. Implement that function without using recursion. Just use a loop.
|
# ? Aug 7, 2012 16:58 |
|
Clugg posted:This probably belongs in the coding horrors thread, but if you could point out where I've hosed up in my buildheap function I'd be much obliged. You've essentially made an O(n^2 log n) algorithm that is sort of tangential to a heapsort. Redo this with the psuedocode from http://en.wikipedia.org/wiki/Heapsort
|
# ? Aug 7, 2012 17:11 |
|
You may want to consider starting with a simpler sorting algorithm like insertion sort, selection sort, or bubblesort. (Selection sort and bubblesort aren't really ever used for anything in the real world but your stated goal is "learning to program.") Quicksort is conceptually simple but implementing it isn't if you're a novice, and heapsort is conceptually simple but heaps aren't.
|
# ? Aug 7, 2012 20:49 |
|
shrughes posted:There are a lot of problems. Let's start with verifyparent. That function should not be recursive. You have a loop and then in the middle of the loop you call the function recursively. Something is wrong there. Implement that function without using recursion. Just use a loop. Thanks for that, I'll cut out the recursion and see what happens. baquerd posted:You've essentially made an O(n^2 log n) algorithm that is sort of tangential to a heapsort. Redo this with the psuedocode from http://en.wikipedia.org/wiki/Heapsort Yep I checked out the wiki earlier, I'll go through the pseudocode to rewrite it if I get no luck with this next step. The first thing I looked at was what a heap was and when I got that down I just dived in. It's funny that the time complexity for mine is so bad. GrumpyDoctor posted:You may want to consider starting with a simpler sorting algorithm like insertion sort, selection sort, or bubblesort. (Selection sort and bubblesort aren't really ever used for anything in the real world but your stated goal is "learning to program.") Quicksort is conceptually simple but implementing it isn't if you're a novice, and heapsort is conceptually simple but heaps aren't. Yep, I managed to get quicksort down after more than a few attempts at the partition function. I've done bubblesort, and the others are on the list. My aim is to write all of the common algorithms from scratch, just to get me used to writing efficient algorithms. As I have found, some are much more difficult than others
|
# ? Aug 8, 2012 03:30 |
|
I've been loving about with a toy language, and I am trying to make babby's first garbage collector. How horrible is this?Python code:
Sinestro fucked around with this message at 16:26 on Aug 8, 2012 |
# ? Aug 8, 2012 06:17 |
I think you have a problem with how walk_and_destroy empties seen, and recurses mutually with dereference. It's just a hunch and I'm not fully awake right now, but I think you're losing your "known objects" set too often. It might work if you store a copy of seen on the stack somewhere.
|
|
# ? Aug 8, 2012 08:00 |
|
Edit: quote != edit.
|
# ? Aug 8, 2012 16:18 |
|
Edit: Holy poo poo I am seriously mentally retarded. Two q!=e accidents in a row.
|
# ? Aug 8, 2012 16:22 |
|
Is it possible to pick apart an animated gif, and make it do a whole lot more than just linearly playing the frames and looping, and expect it to run on different browsers? For instance, play random frames or running a program to paint white pixels on a black background in random places.
|
# ? Aug 8, 2012 21:30 |
|
LP0 ON FIRE posted:Is it possible to pick apart an animated gif, and make it do a whole lot more than just linearly playing the frames and looping, and expect it to run on different browsers? For instance, play random frames or running a program to paint white pixels on a black background in random places. Animated GIFs don't "run", they're just a linear sequence of frames that the browser displays in order. If you want something more complicated, you basically have two options: - do it locally, record the results as an animated GIF, and display that. Note that if you want it to be different each time (as "random" implies), this won't cut it. - do it at runtime using actual code - Javascript to swap frames around, or WebGL, or HTML5, or (please don't do this) Flash or a Java applet.
|
# ? Aug 8, 2012 21:51 |
|
That's right, the browser is the thing that does all the stuff with the file. I've made php files that behave exactly like PNG's, and you can do exactly the same for GIFs. So I guess I could make something on the fly every time an image loads, but the image would have to always come from that server. I just thought it would be cool to have something like an avatar do a little bit more, and surprised no one has tried it, so I guess it's downright impossible. Could have sworn a long time ago someone put audio into a gif, not that I would want to do that!
|
# ? Aug 8, 2012 22:41 |
|
Most media player software has to be very forgiving about finding garbage at the head or tail of an audio file because the tagging system is an unholy loving mess, so I wouldn't be surprised if you could literally append an MP3 to the end of a valid GIF and have them both work depending on which software you opened it with.
|
# ? Aug 8, 2012 22:46 |
|
LP0 ON FIRE posted:That's right, the browser is the thing that does all the stuff with the file. I've made php files that behave exactly like PNG's, and you can do exactly the same for GIFs. So I guess I could make something on the fly every time an image loads, but the image would have to always come from that server. I just thought it would be cool to have something like an avatar do a little bit more, and surprised no one has tried it, so I guess it's downright impossible. Could have sworn a long time ago someone put audio into a gif, not that I would want to do that! That's doable by concatenating an image and an mp3, although it may require certain image formats.
|
# ? Aug 8, 2012 22:46 |
|
Munkeymon posted:Most media player software has to be very forgiving about finding garbage at the head or tail of an audio file because the tagging system is an unholy loving mess, so I wouldn't be surprised if you could literally append an MP3 to the end of a valid GIF and have them both work depending on which software you opened it with. VLC actually can "play" .jpg files.
|
# ? Aug 9, 2012 00:36 |
|
super_chair posted:VLC actually can "play" .jpg files. We call it pegcore around these parts buddy.
|
# ? Aug 9, 2012 02:18 |
|
I've got several XML files with the same schema and structure; they each look something like this (with the same indentation, thank god):XML code:
XML code:
XML code:
edit: oh cool, somebody already made a tool to do this. yay google http://www2.informatik.hu-berlin.de/~obecker/XSLT/#merge edit: holy the XSLT sieve of Eratosthenes is amazing and well worth a click: http://www2.informatik.hu-berlin.de/~obecker/XSLT/eratosthenes.xslt.html edit: i know how I'm spending the rest of my night, finding the most insane abuses of xslt: http://www.unidex.com/turing/utm.htm Deus Rex fucked around with this message at 05:43 on Aug 11, 2012 |
# ? Aug 11, 2012 05:37 |
|
Short question about monitors. Since only one process is allowed in a monitor at a given moment, what happens when one of them calls wait()? Do they stop the procedure and jump out of the monitor or is it a special case where another process gets a go?code:
|
# ? Aug 11, 2012 13:56 |
Boz0r posted:Short question about monitors. Since only one process is allowed in a monitor at a given moment, what happens when one of them calls wait()? Do they stop the procedure and jump out of the monitor or is it a special case where another process gets a go? When you wait on a condition inside a critical section, your ownership of the critical section is released and you are put to sleep until the condition is signalled. When you are about to be woken up again, ownership of the critical section is given back to you and then you get to run again. This means that execution pauses at the wait operation and continues with the same local state, but most likely with a different global state. Since you leave the critical section during waiting, you must make sure the invariant on the resource you are protecting is valid at the point where you start waiting, and similarly you must make sure that the invariant is valid when you signal a condition. (If you waited without having the invariant satisfied, you would leave someone else to find the resource in an inconsistent state.) As a side note, the example you posted is a bit confusing to me with the naming used. I would have preferred if the "empty" and "full" conditions were named "noLongerEmpty" and "noLongerFull". (Since those are the conditions they get signalled on: When you wait for the "empty" condition you are not waiting for the resource to be empty, you are waiting for it to become non-empty.)
|
|
# ? Aug 11, 2012 14:18 |
|
Thanks, that cleared it right up. Can you give me an example of a resource being left in an inconsistent state?
|
# ? Aug 11, 2012 14:28 |
Boz0r posted:Thanks, that cleared it right up. Say you take a handle to an open file, write half a record, discover you need some additional data to complete the writing, wait for the data thus releasing the file handle in the middle of writing a record. If anyone else takes the file handle during that time, they will write data that isn't a continuation of your incomplete record and the file will then contain invalid data.
|
|
# ? Aug 11, 2012 14:56 |
|
nielsm posted:Since you leave the critical section during waiting, you must make sure the invariant on the resource you are protecting is valid at the point where you start waiting, and similarly you must make sure that the invariant is valid when you signal a condition. (If you waited without having the invariant satisfied, you would leave someone else to find the resource in an inconsistent state.) Slight adjustment: AFAIK, all monitor implementations these days use Mesa/non-blocking semantics, in which signal/notify cannot block and does not give up the lock. Therefore you do not need to have the invariant satisfied at that point, just at the point when the signaling thread does leave the monitor.
|
# ? Aug 11, 2012 21:45 |
|
I am trying to grasp the more complex concepts of programming so I can increase my skill set for my job. Plus its something I want to learn because I enjoy it. So here is my question and forgive me if asking it makes me appear to be a total Philistine. I am having trouble understanding the concept of types. I am not sure if types are exclusive to the C family (which is what I am trying to learn) so I figure that this is the best place for my question given that it touches on so many programming concepts. I am looking on the MSDN Library and Google to try and figure out what exactly types do. From what I can gather they hold class definitions and handle memory calls by labeling code. Am I correct in this? A lot of the stuff I am reading is geared towards experienced programmers and it isnt written very clearly.
|
# ? Aug 11, 2012 23:50 |
|
edit: nevermind I've got a VBA question that no one can seem to answer, can anyone take a shot at it? I'm trying to loop through a specified number of cells in an Excel sheet (defined by width and height), but I'm running into problems here. It keeps stalling on me, and then gets upset about : code:
Can anyone tell me where I'm going wrong with my code: code:
Neat Machine fucked around with this message at 00:37 on Aug 12, 2012 |
# ? Aug 11, 2012 23:56 |
friendbot2000 posted:I am having trouble understanding the concept of types. Data types is one of the most basic aspects of programming and is a central concept in pretty much any high-level language. http://en.wikipedia.org/wiki/Data_type
|
|
# ? Aug 11, 2012 23:56 |
|
Types are how you interpret a piece of data. Is it a string? An integer? A pointer? A combination of those pieces of data? C doesn't give you any clue as to what the data could be, so you have to tell it. Each language has its own type system, and there are lots of categories of type systems. A lot of modern languages have type-tagged data, which means that the data is tagged with the type that it should be interpreted as. C/C++ does not have type-tagged data. The interaction of type systems and class definitions is different in every language. Classes don't exist in C, so we'll ignore it. In C++, which doesn't have type-tagged data, a class is a glorified struct. In some other languages, there's a distinction between built-in primitives, and classes, and instances of classes act differently from primitives. I don't understand what "handling method calls by labeling code" is supposed to mean.
|
# ? Aug 12, 2012 00:21 |
|
|
# ? May 29, 2024 22:30 |
|
friendbot2000 posted:I am having trouble understanding the concept of types. In brief, variables are containers for values. Some variables only allow certain values to be stored; these limitations are described by types. For example, you might have a variable which can only hold values of type "integer", such as 3 and -77, but cannot hold values of type "string" or "I/O handle". Different languages have different levels of expressivity in their type systems. In an untyped language, every variable can hold any value. In C, the types available are mostly related to the hardware; there are types for each of the various sizes and styles of number that the CPU understands, and types for indirect access into memory, and such. In some languages, you can make types that are extremely descriptive, like "only prime numbers" or "a list with an odd number of elements, which are monotonically increasing, none of which are larger than the current time expressed in seconds since jan 1 1970". Types are a way for the compiler to know how to compile your code (in many languages, for example, adding two values together means one thing when they are numbers, and something completely different if they are strings). They are also a way for people reading your code to know what it does, serving as a form of documentation.
|
# ? Aug 12, 2012 00:27 |