|
pram posted:What is the best database/store for something like visitor statistics such as ip, time, page, referer, etc Which environment/language/framework? If you are running java, you could use Derby (also known as javadb). Otherwise, basically whatever you are confortable with, including plain old flat files. Sqlite is not a bad option.
|
#
?
Aug 3, 2015 18:33
|
|
|
|
| # ? May 15, 2024 22:36 |
|
|
nielsm posted:I think these are the main purposes: Is this for a government agency? If so, you should really have someone who's an expert in FISMA and related regs handle the auditing and communication with the agency's security team. If not, you really shouldn't have the kind of onerous security requirements you're assuming you have.
|
|
#
?
Aug 3, 2015 18:51
|
|
|
Amberskin posted:Which environment/language/framework? If you are running java, you could use Derby (also known as javadb). Otherwise, basically whatever you are confortable with, including plain old flat files. Sqlite is not a bad option. Yeah totally. I was mostly just wondering if theres some Pro way, since it seems like collecting analytics data like this would be fairly common. I was hoping for some medium between a kv store and a relational db thats maybe embeddable. The problem with embeddable kv stores I've seen is you end up rolling all the query stuff yourself. Also using Postgres seems like overkill to me but maybe... it isnt? Whatever I'll just use sqlite
|
|
#
?
Aug 3, 2015 19:21
|
|
|
This is more of a computer accessory for programming question. I'm looking at getting a new keyboard, and I noticed some gaming keyboards have programmable keys. I was thinking that would be handy for making stuff like for loops into a one-button deal. Is that as handy as it sounds, or am I doing programming wrong? E: I mean, looking at best practice lists, I know I'm doing programming wrong, I just want to know if I'm doing this part of programming wrong.
|
|
#
?
Aug 3, 2015 23:54
|
|
|
22 Eargesplitten posted:This is more of a computer accessory for programming question. I'm looking at getting a new keyboard, and I noticed some gaming keyboards have programmable keys. I was thinking that would be handy for making stuff like for loops into a one-button deal. Is that as handy as it sounds, or am I doing programming wrong? What language are you working in? Nearly every popular one is going to have an IDE that mostly autocompletes basic structures like for loops for you.
|
|
#
?
Aug 4, 2015 00:07
|
|
|
LeftistMuslimObama posted:What language are you working in? Nearly every popular one is going to have an IDE that mostly autocompletes basic structures like for loops for you. Not only that, but does so with context, auto-filling the variables for you.
|
|
#
?
Aug 4, 2015 00:19
|
|
|
Java, mostly. Last year, it wasn't filling in when I was doing the game jam, but I could have just been missing it. So no use for it outside of games, then.
|
|
#
?
Aug 4, 2015 00:47
|
|
|
22 Eargesplitten posted:This is more of a computer accessory for programming question. I'm looking at getting a new keyboard, and I noticed some gaming keyboards have programmable keys. I was thinking that would be handy for making stuff like for loops into a one-button deal. Is that as handy as it sounds, or am I doing programming wrong? You don't need a keyboard with macro keys just to program some key combinations. Just map them with your text editor or IDE, or with auto hot key, or some like thing.
|
|
#
?
Aug 4, 2015 01:07
|
|
|
22 Eargesplitten posted:Java, mostly. Last year, it wasn't filling in when I was doing the game jam, but I could have just been missing it. So no use for it outside of games, then. What IDE do you use for Java? Eclipse and Netbeans should both do this stuff.
|
|
#
?
Aug 4, 2015 01:09
|
|
|
nielsm posted:I don't think there is any cryptography-related thread, but I have a problem that probably involves it and I'd like some advice/suggestions for stuff to read up on. Whether you encrypt on a per-user basis or not, here's the thing. Users can't see other users' information unless there's a bug in the system. There could be bugs in the system such that users can see other users' information. For example, while one user accesses information in the system, their password or keys are present in memory. A bug could let other users see that. Likewise, if a hacker gets access to the database, they'll still get a bunch of users' data, because some proportion of users' passwords are too weak. So I don't think per-user encryption is particularly safer, and it makes the entire system much more complicated, with more places for bugs to appear. It's something that makes sense when the user downloads the encrypted data, and decrypts it on their machine (such as with browser sync services, online backup services). In any case, you should not be thinking about block sizes at all. Hell, what about cipher chaining modes, authentication, and the like? No, you shouldn't be thinking about that stuff. If you do find yourself thinking about that stuff, go read Cryptography Engineering. You shouldn't be, though. There are libraries that worry about such stuff for you.
|
|
#
?
Aug 4, 2015 01:43
|
|
|
LeftistMuslimObama posted:What IDE do you use for Java? Eclipse and Netbeans should both do this stuff. I was using one of the two, I forget which, I had both installed. I probably just haven't dug into the features enough.
|
|
#
?
Aug 4, 2015 02:22
|
|
|
22 Eargesplitten posted:I was using one of the two, I forget which, I had both installed. I probably just haven't dug into the features enough. You should definitely go through some tutorial on whatever you're using, just so you get a feel for what it can actually do. You can use an IDE as a glorified text editor, but you'll be missing out on a ton of what it can do to make your life easier and less boring. You don't need to learn everything (and you won't), you can explore as you go later, when you think "there has to be a better way!" I mean it's worth handcrafting your code at first so you learn the language, but with Java especially there comes a point where you're not gaining anything by typing out boilerplate for the millionth time. Let the magic in
|
|
#
?
Aug 4, 2015 04:16
|
|
|
sarehu posted:In any case, you should not be thinking about block sizes at all. Hell, what about cipher chaining modes, authentication, and the like? No, you shouldn't be thinking about that stuff. If you do find yourself thinking about that stuff, go read Cryptography Engineering. You shouldn't be, though. There are libraries that worry about such stuff for you. People say that, but I haven't found any libraries that worry about such stuff for me. I write in C. Please tell me what libraries I should use. Everything high-level I've found has been in Python or JavaScript or Java. There's also the case that I often want to seek into an encrypted stream, but most everything uses CBC instead of CTR for reasons I'm not even sure of (CTR is objectively a better mode), so I do have to think about this stuff to make it fit my requirements.
|
|
#
?
Aug 4, 2015 04:27
|
|
|
Suspicious Dish posted:People say that, but I haven't found any libraries that worry about such stuff for me. I write in C. Please tell me what libraries I should use. Everything high-level I've found has been in Python or JavaScript or Java. nacl
|
|
#
?
Aug 4, 2015 04:36
|
|
|
baka kaba posted:You should definitely go through some tutorial on whatever you're using, just so you get a feel for what it can actually do. You can use an IDE as a glorified text editor, but you'll be missing out on a ton of what it can do to make your life easier and less boring. You don't need to learn everything (and you won't), you can explore as you go later, when you think "there has to be a better way!" I think I will. There's still a lot of repetition. I mean, don't get me wrong, I learned how to write out a sort, I learned depth first vs breadth first, but writing all those things out kind of blows, so I might as well get it as smooth as possible with for loops too. Also brush up on those because I haven't done almost any coding in years. I ended up buying the fancy keyboard, but only because it was 50% off so I can sell it for a loss of like  if I change my mind on it after the return period, and it has some extras that will actually be useful.
|
|
#
?
Aug 4, 2015 04:43
|
|
|
22 Eargesplitten posted:I think I will. There's still a lot of repetition. I mean, don't get me wrong, I learned how to write out a sort, I learned depth first vs breadth first, but writing all those things out kind of blows, so I might as well get it as smooth as possible with for loops too. Also brush up on those because I haven't done almost any coding in years. Wait, you want to write macros for typing out a sort procedure? Or breadth first searches? Just override equals() (or its equivalent) and use the library that undoubtedly exists for your language. I hope I'm just super misunderstanding you. I work day-to-day with a language for which there are no standard libraries, and let me tell you that it takes ages for a homegrown alternative to be fully mature and functional.
|
|
#
?
Aug 4, 2015 05:22
|
|
|
Typing, even all 7 characters in for(;;), should not be the limiting factor on your process.
|
|
#
?
Aug 4, 2015 05:31
|
|
|
22 Eargesplitten posted:I was using one of the two, I forget which, I had both installed. I probably just haven't dug into the features enough. The correct answer is IntelliJ IDEA and never look back.
|
|
#
?
Aug 4, 2015 05:38
|
|
|
b0lt posted:nacl a library last touched four years ago with no changelog or maintenance strategy at all and also does not allow random seeking as far as I'm aware.
|
|
#
?
Aug 4, 2015 05:43
|
|
|
LeftistMuslimObama posted:Wait, you want to write macros for typing out a sort procedure? Or breadth first searches? Just override equals() (or its equivalent) and use the library that undoubtedly exists for your language. I hope I'm just super misunderstanding you. I work day-to-day with a language for which there are no standard libraries, and let me tell you that it takes ages for a homegrown alternative to be fully mature and functional. What I meant was I learned how to make all of those structures in college, and I am now perfectly happy with using a library to simply make the sort/search a function call. And if Eclipse has a way to fill out for loops to save me the typing for loops and such, I'm glad to use that too. My experience is that I make the majority of my mistakes and spend the majority of my typing time in routine things that I write a dozen times per class. Anything that reduces either is welcome.
|
|
#
?
Aug 4, 2015 06:04
|
|
|
Suspicious Dish posted:a library last touched four years ago with no changelog or maintenance strategy at all and also does not allow random seeking as far as I'm aware. What the gently caress do you expect them to do for maintenance? You want random seeking? Go roll your own complicated authentication scheme that allows random seeking. Or gosh, maybe you could break your text into parts and encrypt each separately instead of being retarded.
|
|
#
?
Aug 4, 2015 06:15
|
|
|
sarehu posted:What the gently caress do you expect them to do for maintenance? At the bare minimum, a changelog for security bugs that have been fixed from release to release? An email address or form to contact if I find a bug? A mailing list where new releases are announced? sarehu posted:You want random seeking? Go roll your own complicated authentication scheme that allows random seeking. Or gosh, maybe you could break your text into parts and encrypt each separately instead of being retarded. You're suggesting I break my text into parts, which requires me to store the nonce/IV separately for each chunk, at which point I've reimplemented CTR mode, poorly. And here's the thing: nacl is not a "high-level API". It gives me low-level cryptographic primitives like symmetric encryption and asymmetric encryption, and still expects me to construct my own cryptosystem using them.
|
|
#
?
Aug 4, 2015 06:58
|
|
|
Suspicious Dish posted:You're suggesting I break my text into parts, which requires me to store the nonce/IV separately for each chunk, at which point I've reimplemented CTR mode, poorly. By all means tell us how you'd decrypt an [i,j) slice with authentication then.
|
|
#
?
Aug 4, 2015 09:33
|
|
|
sarehu posted:By all means tell us how you'd decrypt an [i,j) slice with authentication then. Authenticate the full message up-front once with a MAC-then-encrypt, then decrypt portions as needed. I need to seek at runtime since this is a significantly large file that will not fit in memory, but I can MAC with a rolling checksum so...
|
|
#
?
Aug 4, 2015 10:36
|
|
|
Breaking the message into chunks and encrypting/authenticating each chunk is a better solution though, because you don't have to scan up-front. Pick a key for the file and have the nonce be the chunk number. Or have it be random and store it alongside, if you need to write too.
sarehu fucked around with this message at 11:16 on Aug 4, 2015 |
|
#
?
Aug 4, 2015 11:12
|
|
|
Suspicious Dish posted:a library last touched four years ago with no changelog or maintenance strategy at all and also does not allow random seeking as far as I'm aware. The problem is that his software is also frozen at the time it's written, so it doesn't adapt well to future technologies and best practices. It's also incomprehensible. Honestly, DJB is an academic though, and while nacl meets his academic goals it's really up to the community to adopt it and maintain it, which they haven't really done. Suspicious Dish posted:I need to seek at runtime since this is a significantly large file that will not fit in memory,
|
|
#
?
Aug 4, 2015 16:28
|
|
|
22 Eargesplitten posted:
I forget the eclipse equivalent, but in IntelliJ you can type fori and hit Tab, and it'll fill out the basic loop structure. The parameters will be highlighted, and you can jump between them to fill them out as you like. The variable will already be named, and if you change it it'll intelligently rename everywhere. You can also select a block of code and do Surround By > for loop. And other things. You can mash on Ctrl+Space if you want it to suggest an existing variable to use as a parameter, if it hasn't already guessed the right one. You get the idea but it's like having an assistant that actually understands the code
|
|
#
?
Aug 4, 2015 16:38
|
|
|
ExcessBLarg! posted:Welcome to DJB. His software has zero bugs. None. It's great. Some of the pages say they were last touched in 2009, but the tarball release (which you download not from DJB's website!) is datemarked with 2011. No indication of what changed edit: http://web.archive.org/web/20090630084715/http://nacl.cr.yp.to/install.html edit 2: just what i want from an unmaintained library, "prototype" signing and signature validation. how did i not catch this before? http://nacl.cr.yp.to/sign.html that's obviously never happening either Suspicious Dish fucked around with this message at 17:15 on Aug 4, 2015 |
|
#
?
Aug 4, 2015 17:09
|
|
|
I mean crypto isn't voodoo or anything, there's a plethora of information on cr.yp.to alone. You can either trust an implementation on reputation, audit it and then trust it, or roll your own and compare it to a known good one. I mean you can  about it all day but those are your options, there must be some trustworthy human being out there to write and examine crypto code, if not yourself. Plenty of people use NaCl with no problems, DJB is also quite critical of everything. I mean NaCl was created to solve the exact problem we are discussing. IMO you shouldn't aim for a ~*perfect solution*~, it's a matter of risk mitigation and isolation vs resources. You shouldn't be thinking of how to keep someone out, you should be focusing on how much damage could be done if any one piece were to fail.ExcessBLarg! posted:The problem is that his software is also frozen at the time it's written, so it doesn't adapt well to future technologies and best practices. It's also incomprehensible. Honestly, DJB is an academic though, and while nacl meets his academic goals it's really up to the community to adopt it and maintain it, which they haven't really done. This is why the advice to never roll your own makes me uneasy. It sounds like anti-intellectual cargo cult speak to keep devs stupid about crypto by treating it as some higher-than-human concept. It inclines otherwise bright people to not seek any insight for their problem, and to blame their mistakes on others when things go bad. It's no wonder most contributions come from academic institutions, governments, or criminals/rebels. They're the ones that have the extreme cases of risk, resources, or both. They have to give a poo poo about contributing, it's quite explicitly in their interest to take the time! Still in most cases it's probably a bad idea to roll your own, since resources exist to make things quicker, and poor nielsm just needs a system that prevents him from being fired, sued, or in the worst case ruining people by letting such reports be public (if I'm guessing what he does correctly from posts). I probably generally agree with the other posts. As far as your case is concerned, I'd be the most worried about this being a contradiction: 2. One or two persons of managerial duty will need to extract and process the data from all users 5. Breaking the secrecy of one user's data should not break the secrecy of any other users' data My seat-of-the-pants solution would be to hand the managers smartcards and have the access audited. And anything I've written involving crypto is probably not being used for anything super-duper secret besides being a nerd on the internet, so my advice my be terrible. E: Hell, it might be a good idea to start a crypto thread. dougdrums fucked around with this message at 20:57 on Aug 4, 2015 |
|
#
?
Aug 4, 2015 20:51
|
|
|
It really isn't a big thing I've been asked to develop, it's a staff management system for a small volunteer organization, where I'm volunteering myself. People signing up would be asked to provide any medical information that could be relevant to the work. The issue is that storing personal medical information, together with information identifying the physical person it relates to, without adequate security measures, could be considered criminal negligence. So that's why I'm considering that sort of crypto system, by the idea of "better safe than sorry", but honestly also just as an interesting mental exercise.
nielsm fucked around with this message at 21:15 on Aug 4, 2015 |
|
#
?
Aug 4, 2015 21:13
|
|
|
nielsm posted:It really isn't a big thing I've been asked to develop, it's a staff management system for a small volunteer organization, where I'm volunteering myself. People signing up would be asked to provide any medical information that could be relevant to the work. The issue is that storing personal medical information, together with information identifying the physical person it relates to, without adequate security measures, could be considered criminal negligence. So that's why I'm considering that sort of crypto system, by the idea of "better safe than sorry", but honestly also just as an interesting mental exercise. Oh jeez, I must have mistaken you for someone else. It does seem a little excessive to bring smartcards into this.
|
|
#
?
Aug 4, 2015 21:18
|
|
|
dougdrums posted:This is why the advice to never roll your own makes me uneasy. It sounds like anti-intellectual cargo cult speak to keep devs stupid about crypto by treating it as some higher-than-human concept. It inclines otherwise bright people to not seek any insight for their problem, As for why: historically most cryptosytems have eventually succumbed to attack and have either been compromised outright, or significantly weakened. Those systems that have withstood time have still seen implementations with one or more compromising bugs. Seriously, I can't think of one major security platform or implementation (Kerberos, SSH, SSL/TLS, etc.) that hasn't suffered some significant problem of this nature. You simply can't assume today that security-sensitive software will remain invulnerable ten years from now. So, when dealing with security sensitive software, you have to anticipate that any code you write (or even just use) today, will have to be maintained to remain secure against future attacks. The best way to do that--even if you're an expert--is to use a popular body of software so that the most critical code is studied and maintained by as many experts as possible. My advice is to find the highest level of abstraction (service, application, library, etc.) that's appropriate for your application, find a popular implementation, and use that. That way, when something happens, you can rely on others doing the bulk of the work and minimize the effort needed to remain protected. If you operate on too low of an abstraction (e.g., implementation of common algorithms from primitives) you might be stuck doing the work yourself. If you operate really low (e.g,. custom algorithm) you may not even be aware that you're vulnerable. ExcessBLarg! fucked around with this message at 21:29 on Aug 4, 2015 |
|
#
?
Aug 4, 2015 21:25
|
|
|
Oh, like I said I think we generally agree. That's why I was defending nacl as far as C is concerned. I've just seen a few people turn "don't roll your own" into "not my problem".
dougdrums fucked around with this message at 21:34 on Aug 4, 2015 |
|
#
?
Aug 4, 2015 21:32
|
|
|
dougdrums posted:I mean crypto isn't voodoo or anything, there's a plethora of information on cr.yp.to alone. You can either trust an implementation on reputation, audit it and then trust it, or roll your own and compare it to a known good one. I mean you can It's not a lack of trust, it seems that out of anything that should get major alarm bells for "there is a security fix, update now", it would be for a major cryptography library. But no, nothing other than a silent URL change on a website.
|
|
#
?
Aug 4, 2015 21:37
|
|
|
dougdrums posted:E: Hell, it might be a good idea to start a crypto thread. This is a great idea, please post a link when you get the OP up Coursera offers the Stanford Crypto course for FREE and I highly recommend doing it. It just started Monday so you're not at a disadvantage. The lecture video player has a 1.25x and 1.5x speed adjustment which makes it easy to blow through the lectures a second or third time to really embed the info in your brain. I did it about two years ago and it really broadened my perception of how all that works and why there's really only about 100 people on the planet qualified to write commercial grade crypto-anything, and why WEP is such a flaming pile of garbage. https://www.coursera.org/course/crypto
|
|
#
?
Aug 4, 2015 21:43
|
|
|
I mean iirc nacl was a work in progress in 2009. The file is hosted on the co-author's website too.
|
|
#
?
Aug 4, 2015 21:56
|
|
|
Is this bug-free nacl the same one that had huge problems letting users mmap regions dynamically?
|
|
#
?
Aug 4, 2015 22:31
|
|
|
JawnV6 posted:Is this bug-free nacl the same one that had huge problems letting users mmap regions dynamically? I assume you're talking about Google's Native Client, which is not DJB's NaCl.
|
|
#
?
Aug 4, 2015 22:56
|
|
|
Hadlock posted:This is a great idea, please post a link when you get the OP up NIST formally announced SHA-3 today https://en.wikipedia.org/wiki/SHA-3
|
|
#
?
Aug 6, 2015 00:46
|
|
|
|
| # ? May 15, 2024 22:36 |
|
|
Well, it looks like I'm going to be onboarding / mentoring with one of my company's programmers, which is pretty awesome since I'm normally T1 helpdesk. I haven't gotten sure word for what languages will be used, but I know it will be making something that interacts with a database. I don't know any DB-related languages, is there anything I can study to get a general idea about them, or do I need to know SQL vs Ruby vs whatever else I haven't heard of?
|
|
#
?
Aug 6, 2015 02:18
|
|