As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/

SELECT * FROM posts WHERE tid = 'PA PROGRAMMING THREAD'

19293959798100

Posts

  • LindenLinden Registered User regular
    Wheee, unbound variables for everyone! Frustrating debugging session, that one.

    re. Lua: 5.1.4 is currently installed.

  • CantidoCantido Registered User regular
    Vegan wrote: »
    Hey, everyone. Not A Programmer in the house here.

    I'm going to be starting an Associate Degree education in Web Programming (I can provide specifics if it's important) and I was wondering if I could get an idea of hardware requirements for a laptop. Right now my only computer is hooked up to my TV and there's no way I'm hunching in front of that for all of my class work.

    I can't imagine that the hardware requirements would be very demanding for those sorts of projects, correct?

    Also, how concerned should I be about being bad at math?

    The good news is that the hardware demands for web programming are low. Notepad++ is a free example of software you might use. You however will most likely be looking into Dreamweaver, which should be picked up cheap via your college campus, which is also not demanding. Photoshop comes in handy too. Even if you're not an artist, it has nice things like the Image Processor scripts that let you compress a folder full of pictures and automatically make thumbnails for them, or compress them all for fast web viewing.

    You most likely will be buying one of the Adobe packages with a web focus that will have Dreamweaver and Photoshop.

    3DS Friendcode 5413-1311-3767
  • bowenbowen How you doin'? Registered User regular
    Vegan wrote: »
    Hey, everyone. Not A Programmer in the house here.

    I'm going to be starting an Associate Degree education in Web Programming (I can provide specifics if it's important) and I was wondering if I could get an idea of hardware requirements for a laptop. Right now my only computer is hooked up to my TV and there's no way I'm hunching in front of that for all of my class work.

    I can't imagine that the hardware requirements would be very demanding for those sorts of projects, correct?

    Also, how concerned should I be about being bad at math?

    You can probably pick up a cheapo laptop and be fine. Uninstalling all their crapware first would be beneficial though. Unless you want a desktop then you can splurge for the same price. I'd imagine web devs love laptops though.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • urahonkyurahonky Registered User regular
    Any good books on Cyber Security that you guys are aware of? I'm currently going through "The Rootkit Arsenal" and it's really amazing and I think I'd like to learn more about viruses/malware and stuff like that.

  • bowenbowen How you doin'? Registered User regular
    Don't write your password down. That's about all I know.

    Also a government organization is arguing about whether SHA2 hashes should be used over SHA1 hashes. Like.. really you think that's going to be your point of weakness, 256 vs 160 bit hashes or whatever? How about not using REST for data transfer, yeah, maybe that'd be a good idea.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • urahonkyurahonky Registered User regular
    Not even just that. How about you TRAIN people how to not be incredibly stupid with their online surfing habits. That's especially including Social Networking sites.

  • bowenbowen How you doin'? Registered User regular
    Well this is all for that CCHIT/meaningful use push for medical records. As if a SHA2 hash is going to make user passwords more secure. I think the NSA uses SHA1 because there's just no reason to go above and beyond for hashing.

    I'm waiting for them to tell me AES isn't good enough for encryption now.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • urahonkyurahonky Registered User regular
    bowen wrote: »
    Well this is all for that CCHIT/meaningful use push for medical records. As if a SHA2 hash is going to make user passwords more secure. I think the NSA uses SHA1 because there's just no reason to go above and beyond for hashing.

    I'm waiting for them to tell me AES isn't good enough for encryption now.

    I forgot that's what you're dealing with. My apologies.

  • SporkAndrewSporkAndrew Registered User, ClubPA regular
    An application I wrote has just been pen-tested within the past few months, so I've had compliance and security on the brain for a while now.

    Basically, SHA1 is next to useless now as there's so many rainbow tables for it available. What's recommended is doing recursive SHA256 hashing as many times as you can handle without affecting performance. Based on the build of the server I was working on and the speed of the language / framework I ended up with a 10,000 pass recursive hash seeded with a private key value and the current time in milliseconds. That satisfied the security company, anyway.

    Look into CSRF tokens / nonce values too -- they're exceptionally useful for increasing security at negligible cost.

    But, like others have said, even the most secure password hashing / security system in the world is only as good as the users using it. Even if you're storing data securely, there's nothing stopping people writing down their password or reading it out to someone over the phone who sounds professional.

    The one about the fucking space hairdresser and the cowboy. He's got a tinfoil pal and a pedal bin
  • baronfelbaronfel Would you say I have a _plethora_?Registered User regular
    @SporkAndrew pen-tested as in penetration testing? If you can offer specifics, what kind of things were stressed during that testing? Were you pushing a purely software solution, or some kind of integrated hardware/software combo that had to be tested?

    I've not done any specifically security-conscious stuff, so am rather intrigued by what pen-testing would cover.

  • centraldogmacentraldogma Registered User regular
    I thought AES had a vulnerability? I thought it could be broken relatively quickly (a few years, rather than outside the length of a human life). So, it should be used for things that are of no use in several years (ie. passwords that change on a regular basis) rather than personal information (ie. Social security numbers and medical records).

    It could be a different encryption standard I’m thinking of.

    When people unite together, they become stronger than the sum of their parts.
    Don't assume bad intentions over neglect and misunderstanding.
  • bowenbowen How you doin'? Registered User regular
    An application I wrote has just been pen-tested within the past few months, so I've had compliance and security on the brain for a while now.

    Basically, SHA1 is next to useless now as there's so many rainbow tables for it available. What's recommended is doing recursive SHA256 hashing as many times as you can handle without affecting performance. Based on the build of the server I was working on and the speed of the language / framework I ended up with a 10,000 pass recursive hash seeded with a private key value and the current time in milliseconds. That satisfied the security company, anyway.

    Look into CSRF tokens / nonce values too -- they're exceptionally useful for increasing security at negligible cost.

    But, like others have said, even the most secure password hashing / security system in the world is only as good as the users using it. Even if you're storing data securely, there's nothing stopping people writing down their password or reading it out to someone over the phone who sounds professional.

    I'm using SHA256 with a customizable pass setting (as required I guess, they want to be able to modularly set up an interface engine to test data security and imports). By default internally I use a 5 pass SHA256 for password crypto. Passwords are required to be 15 characters in length, but no requirements on complexity, mainly so I get people used to using sentences as passwords rather than writing down things like 135XD$1djjj34%1%%!!!030zj56JJ

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • bowenbowen How you doin'? Registered User regular
    I thought AES had a vulnerability? I thought it could be broken relatively quickly (a few years, rather than outside the length of a human life). So, it should be used for things that are of no use in several years (ie. passwords that change on a regular basis) rather than personal information (ie. Social security numbers and medical records).

    It could be a different encryption standard I’m thinking of.

    Well you should never encrypt passwords. Hashing should deal with passwords and passphrases to verify a match. Basically you store the hash of a password in your database, which is a one way encryption, and then when someone logs in, you hash, and see if the hashes match.

    As for security wise, it seems to be okay to do this with AES providing you're using a better keysize than 128.
    http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security. You'd need someone with a quantum computer or a huge distributed net of computers attempting to crack the key. Probably not altogether useful unless you have physical access to the machines in question.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • SporkAndrewSporkAndrew Registered User, ClubPA regular
    baronfel wrote: »
    @SporkAndrew pen-tested as in penetration testing? If you can offer specifics, what kind of things were stressed during that testing? Were you pushing a purely software solution, or some kind of integrated hardware/software combo that had to be tested?

    I've not done any specifically security-conscious stuff, so am rather intrigued by what pen-testing would cover.

    It was a web-based system that was penetration tested, so it covered hardware (the server set-up) as well as software (the system itself). For the hardware side of things they essentially did a few port-scans, checked things with known vulnerabilities weren't installed (phpmyadmin / plesk / etc) and tried to log-in using common username / passwords.

    Software-wise they tested for the following (copied straight from the report):

    Injection
    Cross Site Scripting (XSS)
    Broken Authentication/Session Management
    Insecure Direct Object References
    Cross Site Forgery (CSRF)
    Security Misconfiguration
    Insecure Cryptographic Storage
    Failure to Restrict URL Access
    Insufficient Transport Layer Protection
    Un-validated Redirects and Forwards

    If any of those had any vulnerabilities at all then you'd fail. We failed on crypto, broken session management and csrf, which was what prompted me to inplement nonce values, the recursive hashing and locking down the session cookie to httponly. What we ended up implementing was way over the top for the usage that the system gets, but at least it's secure as it can be for now.

    The one about the fucking space hairdresser and the cowboy. He's got a tinfoil pal and a pedal bin
  • PhyphorPhyphor Building Planet Busters Tasting FruitRegistered User regular
    I always go to SRP for password logins when I can. It has the nice property that even if the internal DB gets read, I don't think it's possible to log in based on what the DB has in it, additionally the client can verify that the server actually has the password, you don't need an SSL session to secure it and you end up with a session key

  • centraldogmacentraldogma Registered User regular
    bowen wrote: »
    I thought AES had a vulnerability? I thought it could be broken relatively quickly (a few years, rather than outside the length of a human life). So, it should be used for things that are of no use in several years (ie. passwords that change on a regular basis) rather than personal information (ie. Social security numbers and medical records).

    It could be a different encryption standard I’m thinking of.

    Well you should never encrypt passwords. Hashing should deal with passwords and passphrases to verify a match. Basically you store the hash of a password in your database, which is a one way encryption, and then when someone logs in, you hash, and see if the hashes match.

    As for security wise, it seems to be okay to do this with AES providing you're using a better keysize than 128.
    http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security. You'd need someone with a quantum computer or a huge distributed net of computers attempting to crack the key. Probably not altogether useful unless you have physical access to the machines in question.

    Yeah, passwords are a bad example, but something that is of strategic importance for only a certain period of time. Maybe a publicly traded company’s quarterly information is a better example. I recall some security technique that could be broken with a few years on a modern computer.

    When people unite together, they become stronger than the sum of their parts.
    Don't assume bad intentions over neglect and misunderstanding.
  • bowenbowen How you doin'? Registered User regular
    Phyphor wrote: »
    I always go to SRP for password logins when I can. It has the nice property that even if the internal DB gets read, I don't think it's possible to log in based on what the DB has in it, additionally the client can verify that the server actually has the password, you don't need an SSL session to secure it and you end up with a session key

    SRP appears to be SHA256 bit with some added rejiggering behind the scenes.

    And Dogma, that was probably DES or AES128

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • PhyphorPhyphor Building Planet Busters Tasting FruitRegistered User regular
    edited May 2012
    No, it's an asymmetric crypto algorithm based on the discrete log problem. You can use any hash

    http://srp.stanford.edu/design.html

    Phyphor on
  • bowenbowen How you doin'? Registered User regular
    Ah I see, the 2 or so I looked up used SHA256

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • PrimePrime UKRegistered User regular
    edited May 2012
    I dont know if its just because its 5pm on Friday but I need some math programming help.

    I have two rectangles in 2D space, one is already placed in this 2D space at any rotation. The second will be placed within the boundaries of this first rectangle.

    I need to work out if the insert point (the 2D co ord the user picks with the mouse, top left corner of the rect) of this second rectangle sits within the first half or second half of the first and place it inline with the first carrying on the flow, so the rotation and the positioning must match up.

    Anyone care to point me in the right thought direction? From what I remember does it involve moving the squares to the origin doing checks then moving them back?

    Prime on
  • bowenbowen How you doin'? Registered User regular
    That's probably what I'd do. Keep record of rotation, zero it, place square inside it, rotate both back to the original rotation. I'm sure there are fancy maths, but implement first, then optimize.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • DisrupterDisrupter Registered User regular
    So I am having memory issues in PHP. I posted in my own thread a bit ago, forgetting that its probably best just to post it in here. Long story short, my application is getting majoryly bloated in memory use. I am using zend_framework and it appears as though the zend may be including the models each time a new instance of a class uses the model.

    Basically I have two classes, Class 1 and Class 2. Class 2 is an object within Class 1.

    So lets say we have Object 1A, which is of Class 1. When it first creates object 2A (of class 2) the memory usage is a ton, lets say 1MB. But if it creates more objects of class 2, it isnt bad, maybe .1mb a piece. So it seems like the auto-loader is using a ton of memory including the file for Class 2. Thats fine, it has to include the file.

    But, the part that is messed up is...

    Lets say we also have Object 1B, which is of class 1. It experiences the same memory usage as Object 1A. So when it first creates its instance of class 2, it has a 1MB footprint, but additional objects only incur a .1mb footprint.

    This ends up making Object 1A and Object 1B have footprints of over 1MB a piece. I have no idea how to solve this issue. I am doing manual memory clean up to unset any variables that are no longer used. The problem is, clearing out object 2A only nets me back .1MB. That initial load still takes up 1MB and I do not know how to clean that up. I think the zend_auto-loader is the problem, but I dont know enough about it to really fix it.

    Or maybe I am way off base. I could understand the initial load of a class taking quite a bit of memory, but it shouldnt do it again when another object loads that same class.

    616610-1.png
  • PhyphorPhyphor Building Planet Busters Tasting FruitRegistered User regular
    Another way would be to construct a basis from the first rectangle, which is similar, but involves moving the point (and "world") to the rectangle, which can be easier if all you have are coordinates and not rotations

    For a 2d basis, you need any two points, I'll assume you have the logical top left & top right corners in standard vector x,y form (tl & tr) and the mouse point (pt)

    bx = (tr-tl)
    by = bx' where bx' is bx rotated by 90 degrees, for 2d this is simply swapping x & y. For a rectangle where "down" is really the positive direction, you may want to negate the resulting vector to get a more sensible result

    Then solve for pt = a * bx + b * by. a,b is your coordinate in the rectangle-world. Note that the rectange-world coordinates are scaled to the length of bx, which, conveniently, is what you want, a >= 0.5 gives you the "right half"

  • PhyphorPhyphor Building Planet Busters Tasting FruitRegistered User regular
    Does anyone know of a better way to bind a v4 and v6 socket to the same port than pick a port, try it, re-try on fail?

  • bowenbowen How you doin'? Registered User regular
    You mean if the person doesn't have v6 installed, default to v4 right?

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • PhyphorPhyphor Building Planet Busters Tasting FruitRegistered User regular
    No, two sockets, bound to the same port. Basically I want to offer the same service on both ipv4 and ipv6, but I don't think I can say they're on different ports

  • bowenbowen How you doin'? Registered User regular
    You should be able to accept both 4 and 6 on a single ip6 socket assuming you've set the option to not "ip6 only" in this case?

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • bowenbowen How you doin'? Registered User regular
    edited May 2012
    I'm not sure if non-windows sockets can do it:

    http://msdn.microsoft.com/en-us/library/system.net.sockets.socketoptionname.aspx (ipv6_only set to false)

    Edit: seems to be supported on Unix and it's already off by default there:
    http://stackoverflow.com/questions/1618240/how-to-support-both-ipv4-and-ipv6-connections

    bowen on
    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • PhyphorPhyphor Building Planet Busters Tasting FruitRegistered User regular
    edited May 2012
    I wish I could, unfortunately XP doesn't seem to support it. I need Win XP and up & Mac

    Phyphor on
  • bowenbowen How you doin'? Registered User regular
    Ah hm.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • bowenbowen How you doin'? Registered User regular
    edited May 2012
    WSCEnumProtocols to check if ip6 is installed and create your own socket class maybe?? (You'll obviously need a separate code base for BSD sockets on OSX and it supports the IP6 by default anyways... two code-bases for netcode it seems)

    bowen on
    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • urahonkyurahonky Registered User regular
    Has anyone ever used Beyond Compare? Can you tell me if it's worth the money?

  • bowenbowen How you doin'? Registered User regular
    Pft, side by side in sublime.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • admanbadmanb unionize your workplace Seattle, WARegistered User regular
    I admit I don't do a lot of complicated merging, but do you really need anything more complicated than WinMerge?

  • InfidelInfidel Heretic Registered User regular
    admanb wrote: »
    I admit I don't do a lot of complicated merging, but do you really need anything more complicated than WinMerge?

    WinMerge is likely more than enough.

    OrokosPA.png
  • urahonkyurahonky Registered User regular
    Noted. I'll install it and give it a shot... Thanks guys.

  • baronfelbaronfel Would you say I have a _plethora_?Registered User regular
    We use BeyondCompare at work and it's sexy and all, but I'm not sure what practical advantages it gives above and beyond WinMerge. You could also check out KDiff, which is what we used before the move to BC.

  • Gilbert0Gilbert0 North of SeattleRegistered User regular
    baronfel wrote: »
    We use BeyondCompare at work and it's sexy and all, but I'm not sure what practical advantages it gives above and beyond WinMerge. You could also check out KDiff, which is what we used before the move to BC.

    Same. We have a bunch of licenses at work but there are several free comparibles.

  • smokmnkysmokmnky Registered User regular
    Even as "old" as it is, why is TextMate so good? Seriously I love it

  • GnomeTankGnomeTank What the what? Portland, OregonRegistered User regular
    edited May 2012
    BeyondCompare is probably the best diff/merge tool I've ever used, but really there is such a small relative gap in functionality, that I'm not sure "best" even matters enough to pay money for it. I use it at work where the company pays for it, but at home I just use KDiff.

    GnomeTank on
    Sagroth wrote: »
    Oh c'mon FyreWulff, no one's gonna pay to visit Uranus.
    Steam: Brainling, XBL / PSN: GnomeTank, NintendoID: Brainling, FF14: Zillius Rosh SFV: Brainling
This discussion has been closed.