|
rotor posted:java is fine, i dont get the hate.
|
# ? Oct 25, 2012 20:06 |
|
|
# ? May 9, 2024 11:01 |
|
I'm about to go full shaggar and dive into some java, but in a context that I'm sure he would hate. I'm downloading eclipse because: me: 'okay the $php_web_framework is done' boss: 'well uh I don't have anything else for you to do until the alpha test, but we're gonna need someone to maintain our android app eventually so uh, start learning android I guess?'
|
# ? Oct 25, 2012 20:13 |
|
MononcQc posted:The paper blames the lib for being a badly designed POS that causes these errors. The big problem according to the paper is Apache HttpClient quote:The most widely used version of Apache HttpClient is 3.1, released in 2007. This library, as well as its earlier versions, Which is then included in a bunch of middleware apps like Apache Axis, Axis 2, Codehaus XFire which in turn are used by important APIs like: Amazon EC2 API Tools, Amazon Flexible Payments Service, PayPal Payments Pro (Direct Payment), PayPal Transactional Information, PayPal Mass Pay, as well as Apache ActiveMQ. It seems that there isn't any way for those APIs to even provide their own validation, even if they wanted to.
|
# ? Oct 25, 2012 20:14 |
|
WHOIS John Galt posted:i'm probably going to start working in java soon. it's the absolute worst but at this point i don't see how it could be worse than anything else java is just fine. sounds like the hater... is u
|
# ? Oct 25, 2012 20:19 |
|
java isnt great and it isnt terrible it kind of just is.
|
# ? Oct 25, 2012 20:33 |
|
Everyone should just get their own private key assigned at birth and use it for all secure transactions by simple encryption. It can be securely stored by tattooing it on the inside of the eyelid.
|
# ? Oct 25, 2012 20:45 |
|
Zombywuf posted:Everyone should just get their own private key assigned at birth and use it for all secure transactions by simple encryption. It can be securely stored by tattooing it on the inside of the eyelid. or just burn it onto the retina so when you close your eyes really hard you can see it in purple for a sec
|
# ? Oct 25, 2012 20:47 |
|
MononcQc posted:The paper blames the lib for being a badly designed POS that causes these errors. yeah i guess the default factory doesnt do hostname validation. thats kinda wierd. you can create your own validating factory easilty enough, but its kind of dumb that its not the default.
|
# ? Oct 25, 2012 20:52 |
|
WHOIS John Galt posted:still gonna script in python and experiment with go and clojure at home, gently caress the haters keep that stuff at home where no one has to see it.
|
# ? Oct 25, 2012 20:54 |
|
Socracheese posted:I'm about to go full shaggar and dive into some java, but in a context that I'm sure he would hate. I'm downloading eclipse because: remember that IntelliJ [CE] exists fought eclipse the last time i did android. had a more pleasurable time with intellij.
|
# ? Oct 25, 2012 20:57 |
|
eclipse is fine. you've just gotta tweak the heap + perm gen space and turn off the autocomplete delay.
|
# ? Oct 25, 2012 20:59 |
|
Shaggar posted:keep that stuff at home where no one has to see it. same, but your posts
|
# ? Oct 25, 2012 20:59 |
|
Shaggar posted:eclipse is fine. you've just gotta tweak the heap + perm gen space and turn off the autocomplete delay. "eclipse is fine. you've just gotta configure a bunch of poo poo." sounds a lot like linux
|
# ? Oct 25, 2012 20:59 |
|
Cocoa Crispies posted:"eclipse is fine. you've just gotta configure a bunch of poo poo." Now you've done it
|
# ? Oct 25, 2012 21:03 |
|
the heap+perm gen are 2 lines in the config and if a developer doesnt understand those concepts they shouldnt be developing. the delay thing is in prefs and its dumb as hell that its set to 200ms by default, but w/e. theres probably some autist that gets mad when autocomplete is instant.
|
# ? Oct 25, 2012 21:04 |
|
rotor posted:java is fine, i dont get the hate. I think it might already have that, but it's implemented in the standard library (java.lang.invoke.MethodHandle) and the incantation to construct one is really complicated and not type checked otoh the resulting method handle can look just like e.g. a Runnable object and it seems to be much closer to metal than what it's pretending to be so this might not be exactly what you're looking for
|
# ? Oct 25, 2012 21:10 |
|
Shaggar posted:the heap+perm gen are 2 lines in the config and if a developer doesnt understand those concepts they shouldnt be developing. this is literally the argument gentoo fans use
|
# ? Oct 25, 2012 21:10 |
|
Shaggar posted:the heap+perm gen are 2 lines in the config and if a developer doesnt understand those concepts they shouldnt be developing. seriously you're a post about belarussian tractors and an avatar with medals representing probations short of being teapot
|
# ? Oct 25, 2012 21:17 |
|
i debug teapot style
|
# ? Oct 25, 2012 21:22 |
|
JawnV6 posted:i debug teapot style heeey sexy buffer *op op op debug teapot style*
|
# ? Oct 25, 2012 21:26 |
|
Cocoa Crispies posted:heeey sexy buffer god drat it i was singing it too
|
# ? Oct 25, 2012 21:27 |
|
Cocoa Crispies posted:heeey sexy buffer
|
# ? Oct 25, 2012 21:36 |
|
Cocoa Crispies posted:heeey sexy buffer
|
# ? Oct 25, 2012 21:39 |
|
Cocoa Crispies posted:heeey sexy buffer fuuuuuck
|
# ? Oct 25, 2012 22:49 |
|
Cocoa Crispies posted:heeey sexy buffer
|
# ? Oct 25, 2012 22:58 |
|
in my mind it's teapot and he's yelling at a copy of visual studio instead of a butt
|
# ? Oct 25, 2012 23:28 |
|
Tiny Bug Child posted:wrong and wrong. php's default settings are the correct behavior so you should leave them alone, unless you're dealing with someone who has a bad cert and doesn't really care about it, in which case you have no option but to disable validation just to say what is more likely - a man in the middle attack, or the end point loving up their certificates. ( saying ssl settings must always be at the tinfoil level is a bit dumb, because the pain of cert management rarely does anything than generate more work. now for mobile devices, using shared networks, open wifi, that's a different thing to a bunch of scripts running behind a website. security seems to be mostly about making things impractical for the developer and hoping it applies to the attacker too.
|
# ? Oct 25, 2012 23:29 |
|
rotor posted:in my mind it's teapot and he's yelling at a copy of visual studio instead of a butt loooooooool
|
# ? Oct 25, 2012 23:29 |
|
tef posted:just to say Pretty much, loving certificate expiration dates are dumb.
|
# ? Oct 25, 2012 23:36 |
|
Hard NOP Life posted:Pretty much, loving certificate expiration dates are dumb. nope! they're there to say 'stop using this when someone can factor your keys'
|
# ? Oct 25, 2012 23:36 |
|
Yeah but you have no idea ahead of time how long in the future that will be. It's completely arbitrary right now. If anything it should be a function of the algorithm and key strength.
|
# ? Oct 25, 2012 23:45 |
|
Hard NOP Life posted:Yeah but you have no idea ahead of time how long in the future that will be. It's completely arbitrary right now. so they're normally set for a year, because going from big breakthrough to somebody using it against you will probably take more than a year
|
# ? Oct 26, 2012 00:00 |
|
Socracheese posted:or just burn it onto the retina so when you close your eyes really hard you can see it in purple for a sec I would genuinely not be surprised if something like this happens in the next few years, though it would probably be an implanted chip.
|
# ? Oct 26, 2012 02:47 |
|
VPN for my poo poo uses perpetual certs because managing these things is a nightmare and I just use them as little more than longass passwords anyway yes i am totally going to ask people to make their router generate certs (it can't) and then send me a certificate signing request and then send them back a signed certificate or i could be literally the gestapo and generate their private keys for them, thereby enabling me to read their traffic... on the vpn... that i control...
|
# ? Oct 26, 2012 11:23 |
|
tef posted:security seems to be mostly about making things impractical for the developer and hoping it applies to the attacker too. That's mostly because security isn't really designed into languages/libraries/whatever but tacked on after the language as gotten some degree of popularity. CSRF protections should be built into the servlet container spec so that nobody ever has to worry about it again, but it's not. It should be really freaking difficult to execute a query that isn't precompiled rather than making using bind variables take the extra 3-4 steps. Why aren't the concepts of user, group, role, and function/method level security permissions built into every language? The last time I used Python (which was admittedly a while ago) it had 3 different command line parsing libraries and zero built in authentication and authorization libraries. Don't poo poo on security folks, poo poo on the language and library designers who make it hard to be secure than insecure.
|
# ? Oct 26, 2012 13:56 |
|
does .net framework handle security/sandboxing as well as it seems to from my idiot poo poo coder perspective?
|
# ? Oct 26, 2012 14:01 |
|
Cold on a Cob posted:does .net framework handle security/sandboxing as well as it seems to from my idiot poo poo coder perspective? Dunno, I haven't worked much/any with .net. My heartless corporate overlords mandate the use of java.
|
# ? Oct 26, 2012 14:05 |
|
wins32767 posted:That's mostly because security isn't really designed into languages/libraries/whatever but tacked on after the language as gotten some degree of popularity. CSRF protections should be built into the servlet container spec so that nobody ever has to worry about it again, but it's not. It should be really freaking difficult to execute a query that isn't precompiled rather than making using bind variables take the extra 3-4 steps. Why aren't the concepts of user, group, role, and function/method level security permissions built into every language? The last time I used Python (which was admittedly a while ago) it had 3 different command line parsing libraries and zero built in authentication and authorization libraries. if there's data to store, then there's gonna be a crypto debate on how it should be stored, then a debate on how or where it should be stored, and then it will have an ORM debate, and ...
|
# ? Oct 26, 2012 14:12 |
|
Cold on a Cob posted:does .net framework handle security/sandboxing as well as it seems to from my idiot poo poo coder perspective?
|
# ? Oct 26, 2012 14:18 |
|
|
# ? May 9, 2024 11:01 |
|
MononcQc posted:if there's data to store, then there's gonna be a crypto debate on how it should be stored, then a debate on how or where it should be stored, and then it will have an ORM debate, and ... That's equally true of pretty much any part of a standard library. Regardless, just like doing security remediation on an existing application, the existing languages are never going to get to where the security robustness and ease of use that something with security designed in from the start can have. If someone writes a language that has security as one of the core objectives a lot of the current gnarliness could get abstracted away. Just like today you occasionally need an expert who understands the layout of memory in the Java heap to solve some problems you'll need an expert on the underlying security architecture but your average code monkey would be able to be secure without having to understand all the different twists and turns.
|
# ? Oct 26, 2012 14:22 |