|
Using Python pip is equivalent to downloading something off of CNET, assume everything is either badly written or malicious
|
#
?
Feb 3, 2020 23:37
|
|
|
|
| # ? May 17, 2024 17:57 |
|
|
https://twitter.com/rickwierenga/status/1223563155902693376
|
|
#
?
Feb 4, 2020 00:59
|
|
|
https://twitter.com/farmerchris/status/1224550710836113408
|
|
#
?
Feb 4, 2020 11:09
|
|
|
A lot of people in that twitter thread proudly asserting that the app is vulnerable to SQL injection, but it's not clear from this whether or not that's the case. It's unclear whether the app uses user input naively (in which case it is vulnerable), or takes steps (e.g. parameterised queries) to ensure that SQL injection isn't possible. I don't know how likely it is that you would be able to easily get a fully-formed query back as a string if prepared statements were used, and it's not clear what RDBMS is being used. Regardless, it's obviously awful for several reasons to blurt out the query to the user when something goes wrong. (Debug behaviour in release?) It's just weird to read all those people who are quite certain that SQL injection is possible when that doesn't seem to be something one can deduce from the screenshot alone.
|
|
#
?
Feb 4, 2020 13:10
|
|
|
Hammerite posted:A lot of people in that twitter thread proudly asserting that the app is vulnerable to SQL injection, but it's not clear from this whether or not that's the case. It's unclear whether the app uses user input naively (in which case it is vulnerable), or takes steps (e.g. parameterised queries) to ensure that SQL injection isn't possible. I don't know how likely it is that you would be able to easily get a fully-formed query back as a string if prepared statements were used, and it's not clear what RDBMS is being used. Tweet is gone. 
|
|
#
?
Feb 4, 2020 18:01
|
|
|
It was a screenshot of an error with a full SQL query with table names and joins. It's a big red flag for SQL vulnerabilities, but it doesn't guarantee them of course. But it's a terrible sign that you can even tell SQL is being used. It's hard to say if they are ankle deep or neck deep in poo poo, but we can at least rule out any non-poo poo situation.
|
|
#
?
Feb 4, 2020 18:18
|
|
|
Nth Doctor posted:Tweet is gone. It was a screenshot of an error message from an app. The error message was displayed over a login page with a header that said it had something to do with registered voters in... Iowa? Ohio? Something like that. The error message consisted of "User not found" and then the text of an SQL query.
|
|
#
?
Feb 4, 2020 18:20
|
|
|
Hammerite posted:It was a screenshot of an error message from an app. The error message was displayed over a login page with a header that said it had something to do with registered voters in... Iowa? Ohio? Something like that. The error message consisted of "User not found" and then the text of an SQL query. Fuckin' YIKES 
|
|
#
?
Feb 4, 2020 18:31
|
|
|
the tweet was obvious enough and deleted fast enough that i think it was a spoof, but the app was indeed very bad. multiple caucusers said that it would lose all entered information when the display slept so they had to remember to keep touching their phones to keep them awake.
|
|
#
?
Feb 4, 2020 18:39
|
|
|
The account is now protected and has the name "Bobby Tables" lol
|
|
#
?
Feb 4, 2020 18:40
|
|
|
Printing out a full query string with ?s in it probably means that it doesn’t have classic SQL injection problems, actually, because the naive way of constructing SQL by appending strings doesn’t lend itself to that kind of debug output. On the other hand, it could well mean that the app is sending raw queries to the database, which isn’t an “SQL injection” as I learned the term but is still a really big problem.
|
|
#
?
Feb 4, 2020 18:43
|
|
|
Someone in the secfuck thread said screenshot was not from the dumpster fire app they failed to count last night's caucus results with, but a different app from the same company from some other year's election. People also pointed out that the visual style was iOS circa 2013-14.
|
|
#
?
Feb 4, 2020 18:44
|
|
|
CPColin posted:The account is now protected and has the name "Bobby Tables" lol 
|
|
#
?
Feb 4, 2020 19:45
|
|
|
Hammerite posted:It was a screenshot of an error message from an app. The error message was displayed over a login page with a header that said it had something to do with registered voters in... Iowa? Ohio? Something like that. lmao... oh buddy...........
|
|
#
?
Feb 4, 2020 20:40
|
|
|
I sent the screenshot, so here it is, preserved for posterity. e: Genuine screenshots by somebody who seems to know what they're talking about. https://twitter.com/josephfcox/status/1224758442776129536 Arsenic Lupin fucked around with this message at 21:05 on Feb 4, 2020 |
|
#
?
Feb 4, 2020 20:59
|
|
|
Edit: I'm dumb
Volmarias fucked around with this message at 21:28 on Feb 4, 2020 |
|
#
?
Feb 4, 2020 21:11
|
|
|
Read the article. That error screen shows up when you try to enter the Google Authenticator 2FA.
|
|
#
?
Feb 4, 2020 21:15
|
|
|
I can't help but think they'd have had fewer problems sending a Google Forms link to a bunch of pre-registered email addresses.
|
|
#
?
Feb 4, 2020 21:45
|
|
|
Maybe, but that might make it harder to justify 5 figures worth of consultant fees.
|
|
#
?
Feb 4, 2020 22:46
|
|
|
Plus people would make fun of them, but we'd know who won last night instead of this afternoon.
|
|
#
?
Feb 4, 2020 23:17
|
|
|
https://twitter.com/kf/status/1224768660138446848 https://twitter.com/ysaw/status/1224561186605125632
|
|
#
?
Feb 5, 2020 01:00
|
|
|
duz posted:Maybe, but that might make it harder to justify 5 figures worth of consultant fees. Cheap consultants!
|
|
#
?
Feb 5, 2020 01:00
|
|
|
Ya uh what happened here is obvious. Said company got hella tax credits and other funding, the management transferred those funds to their respective bmw/audi dealership, perhaps to the ol' musky too, and then hired the cheapest 'team' they could to poo poo out the eternal mvp. Iowa is really bad about it, don't ask ...
|
|
#
?
Feb 5, 2020 01:19
|
|
|
JawnV6 posted:Having worked on the silicon side, rust whining about ‘silicon bugs’ strikes me as incredibly immature. Calling their own misunderstanding of speculative execution someone else’s bug. They're certainly wrong about Darwin platforms. The `clock_*(CLOCK_MONOTONIC)` functions are true monotonic counters, at least on Apple hardware.
|
|
#
?
Feb 5, 2020 02:12
|
|
|
My favorite example of that class of bugs is GTA... 3? I think? They eschewed the OS platform calls and just used rdtsc directly. On AMD platforms at the time, when a thread hopped cores or any DVFS shenanigans occurred the naive approach wouldn't notice. Time would go backwards, relatively speaking, and it led to a very Yakety Sax inspired gameplay with animations jerking wildly back and forth.
|
|
#
?
Feb 5, 2020 03:07
|
|
|
Xik posted:Hold up I'm just grabbing this tiny violin for all these massive for-profit organizations relying on this dude's hobby project and his volunteer time. Not sure where you got the impression that all the users are major corporations, but okay. The dude spent more time writing a snarky comment on GitHub than it would have taken to accept the fix that someone else already made for his lovely code. And yeah obviously everyone could just fork the repo but how can you possibly think that's a suitable solution?
|
|
#
?
Feb 5, 2020 11:44
|
|
|
They could pay whoever maintains it if they depend on it that much.  I'm no javascript ninja, but there's a history of pull requests to fix vulnerabilities, and he probably just went 'gently caress it, I've got other stuff to do instead of fixing all of this poo poo I wrote' at one point. There's nothing compelling him to do so other than having some warm fuzzy feeling about open source software and 'contributing' to the 'community'.Of course the smart thing to do in any case is to not use node. Problem solved. E: I mean, getting paid and oss aren't mutually exclusive. poo poo, RMS's first draft said that you couldn't charge for distributing gpl software, then he realized tapes and postage costs loving money and totally reneged on that point. dougdrums fucked around with this message at 14:37 on Feb 5, 2020 |
|
#
?
Feb 5, 2020 14:33
|
|
|
Hammerite posted:I named my street the empty string as a joke and now the postal service sends all the mail with unreadable addresses here, it's blowing in to my garden and making a mess This actually happened to an American who chose "NULL" as a vanity license plate number. Had something like $5000 in parking tickets mailed to his house
|
|
#
?
Feb 14, 2020 04:20
|
|
|
https://twitter.com/StevenXClontz/status/1228317055331569664
|
|
#
?
Feb 14, 2020 15:03
|
|
|
TBF, they're not going to get the test admin people to change their rules by arguing that they already spent a bunch of money developing this feature
|
|
#
?
Feb 14, 2020 16:19
|
|
|
I was just reminded of a thing I worked with some time ago, and I feel sharing it with you people would help me cope. Can you spot all the horrors?
|
|
#
?
Feb 14, 2020 17:15
|
|
|
Bonus 
|
|
#
?
Feb 14, 2020 17:20
|
|
|
What's the difference between a compiler if and a plain if?
|
|
#
?
Feb 14, 2020 17:43
|
|
|
Preprocessor vs. runtime, I would assume.
|
|
#
?
Feb 14, 2020 17:47
|
|
|
pokeyman posted:What's the difference between a compiler if and a plain if? That is the least horrific part. The "runtime" is MSI though, which is entirely table based. I think any turing-completeness is done via injecting dlls via so-called custom actions. MSI in general feels like "RPM, But Worse™"
|
|
#
?
Feb 14, 2020 17:58
|
|
|
Antigravitas posted:The "runtime" is MSI though, which is entirely table based. I think any turing-completeness is done via injecting dlls via so-called custom actions. MSI in general feels like "RPM, But Worse™" 
|
|
#
?
Feb 14, 2020 18:47
|
|
|
You can't type freely in the IDE btw., programming is done via drag&drop of the modules on the right. If you dare to type it autocompletes into the modules on the right and presents a modal dialogue for you to add options. What's shown in the "code" hides a lot of those option. The source files created by the IDE are not human-readable and they get reshuffled seemingly at random, so putting them into version control is frustrating as hell.
|
|
#
?
Feb 14, 2020 19:00
|
|
|
Has been a long week. Been fighting scripts written in python, poorly, tryiing to match the requirements of these scripts with libraries like TensorFlow and OpenCV. Having to use virtual enviroments and docker images to make these scripts happy. After a lot of pain and misery I have developed the need to make a hot take: Python can fuckt itself with a hot iron bar. gently caress all the people that work with python and neglect the concept of facade when updating libraries.
|
|
#
?
Feb 14, 2020 19:12
|
|
|
hot take: python is cool and good and docker is the right way to solve the problem you are having.
|
|
#
?
Feb 14, 2020 19:15
|
|
|
|
| # ? May 17, 2024 17:57 |
|
|
Tei posted:Has been a long week. Python is great actually, as are the concept of virtualenvs and Docker. It's failed to solve the "how do we force bad programmers to write good code?" problem, but then so has every other language. Find me the language where your scripts (written by an incompetent developer) would have been easy to update and I'll use that for the rest of my life
|
|
#
?
Feb 14, 2020 19:22
|
|
