As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/

[Programming] Reinventing equality, one language at a time

24567100

Posts

  • EchoEcho ski-bap ba-dapModerator mod
    DD6opqRU0AAebx7.jpg:large

  • InfidelInfidel Heretic Registered User regular
    I... I found a bug.

    OrokosPA.png
  • ecco the dolphinecco the dolphin Registered User regular
    Doesn't look const correct either. Eyeball function doesn't modify any member variables, so could be const.

    Penny Arcade Developers at PADev.net.
  • thatassemblyguythatassemblyguy Janitor of Technical Debt .Registered User regular
    Echo wrote: »
    DD6opqRU0AAebx7.jpg:large

    They just had to allow universal-character-names into the spec, didn't they?

  • ecco the dolphinecco the dolphin Registered User regular
    edited July 2017
    To be fair, we're very English-centric here with an amazing English bias.

    Would this help developers in countries where English is not common?

    ecco the dolphin on
    Penny Arcade Developers at PADev.net.
  • OrcaOrca Also known as Espressosaurus WrexRegistered User regular
    My head just exploded.

  • LD50LD50 Registered User regular
    Also, the cherry eyeball function spits out a watermelon.

  • OrcaOrca Also known as Espressosaurus WrexRegistered User regular
    There's one definite bug, one probable one, and two unused types.

    Turn on -Wunused!

  • LD50LD50 Registered User regular
    They instantiate the monkey enum and then never use it. Same with the strawberry struct. They #define evil and true and never use them. Same with time.

  • OrcaOrca Also known as Espressosaurus WrexRegistered User regular
    Too bad April Fools is already over. This would have been fantastic to put into a code review at work.

  • thatassemblyguythatassemblyguy Janitor of Technical Debt .Registered User regular
    To be fair, we're very English-centric here with an amazing English bias.

    Would this help developers in countries where English is not common?

    yeah, I agree with the adoption for non-english developers.

    I'm fuzzy on my emoji/unicode historical time line, but I don't think 2007 had emojis in the unicode spec yet. this is just a hilarious reminder of how things can go in unexpected ways.

  • LD50LD50 Registered User regular
    This actually came up in the sysadmin thread a month or so ago. Windows file/path names, users, passwords, etc are all unicode.

  • OrcaOrca Also known as Espressosaurus WrexRegistered User regular
    edited July 2017
    Time to commit a file to the repo with a dogshit emoji for its filename

    Orca on
  • LD50LD50 Registered User regular
    Do you think emoji work with combining characters? I think the world needs a spicy accented red pepper.

  • Baron DirigibleBaron Dirigible Registered User regular
    edited July 2017
    LD50 wrote: »
    Do you think emoji work with combining characters? I think the world needs a spicy accented red pepper.
    Sure, you can, but why stop there?
    RHQGbVv.png
    wQFI9c6.png

    Baron Dirigible on
  • InfidelInfidel Heretic Registered User regular
    Holy shit, I didn't realize the family emojis were compound but that makes sense.

    OrokosPA.png
  • MelksterMelkster Registered User regular
    LD50 wrote: »
    zeeny wrote: »
    Wut wut. Don't suggest using UUID's as salts guys!

    I'm not suggesting he use UUIDs as salts. He's not actually using the data as a salt but as a unique identifier in the database (if I understood what he said earlier correctly).

    It's my bad for using poor language to describe this problem.

    The problem I've been talking about is not one of hashing. It is inappropriate to talk about "salts," as I believe that the term "salt" specifically applies only to additional input to a one-way hashing algorithm.

    The problem we're dealing with is one of symmetric encryption. We need to store the data in a way that makes it impossible to read, unless you have the key -- in which case you should be able to get the original text. However, we don't want to use the same key for every row, as this would reveal rows that have the same information. Therefore, the key for each row should be a combination of two things: An application-level string and a row-level string. I've been (inappropriately) describing the row-level component of the key as a "salt", when I believe that it is inappropriate to use that term when referring to symmetric encryption.

    That said, I'm not sure of the advantages of using a UUID, versus a cryptographically secure randomly-generated string. My normal course of action in these types of situations is to just straight-up follow what the best practices in the industry are, but unfortunately when it comes to symmetric encryption, the "best practices" for a given situation are very complicated. Turns out that securely storing keys to encrypted information is a hard problem.

  • InfidelInfidel Heretic Registered User regular
    I think you're using the terminology correct here? You're adding some random prefix/suffix so that you don't have the same crypt-text for rows that have the same plain-text.

    To do that properly, use pure securely generated padding. UUID's are not securely generated, that's all. That is the pitfall, and the recommendation against. :+1:

    OrokosPA.png
  • CampyCampy Registered User regular
    What exactly does the term "securely generated" mean in this context?

  • ecco the dolphinecco the dolphin Registered User regular
    Campy wrote: »
    What exactly does the term "securely generated" mean in this context?

    Very near impossible for an external observer to guess or predict the generated result in advance.

    Penny Arcade Developers at PADev.net.
  • MelksterMelkster Registered User regular
    Campy wrote: »
    What exactly does the term "securely generated" mean in this context?

    Very near impossible for an external observer to guess or predict the generated result in advance.

    This is the only advantage?

    The only situation where it would be useful is if an attacker had access to the encrypted text, but not the row-level key component, right?

    BTW, I ended up using os.urandom() in Python's standard library-- https://docs.python.org/2/library/os.html#os.urandom

  • OrcaOrca Also known as Espressosaurus WrexRegistered User regular
    I just tested, and Trace32 Feb 2017 still doesn't like going through my USB3 hub. There may be some physical compatibility issue that's been fixed with more recent hardware (I've got a 5+ year-old USB2 podbus). Oh well...

  • EchoEcho ski-bap ba-dapModerator mod
    edited July 2017
    Melkster wrote: »
    Campy wrote: »
    What exactly does the term "securely generated" mean in this context?

    Very near impossible for an external observer to guess or predict the generated result in advance.

    This is the only advantage?

    The only situation where it would be useful is if an attacker had access to the encrypted text, but not the row-level key component, right?

    BTW, I ended up using os.urandom() in Python's standard library-- https://docs.python.org/2/library/os.html#os.urandom

    I work in Go and during review we just switched from math/rand to crypto/rand and called it a day.

    Echo on
  • LD50LD50 Registered User regular
    urandom is suitable for cryptography so it should be fine, yeah?

  • InfidelInfidel Heretic Registered User regular
    Campy wrote: »
    What exactly does the term "securely generated" mean in this context?

    Cryptographically secure. It's the common qualifier verbiage for when you mean random bits that are to be used for security purposes, like hashing/encryption/communications/etc.

    If you have a PRNG (psuedo-random number generator) you don't necessarily have a CSPRNG. See the above comments for how in a lot of libraries you'll have your pick/distinction of PRNG/CSPRNG.

    Being "securely generated" means using a CSPRNG and imo also following best practices on your algorithms to not introduce any flaws.

    OrokosPA.png
  • KakodaimonosKakodaimonos Code fondler Helping the 1% get richerRegistered User regular
    You ever have a bug that took you forever to figure out because it was something so obviously wrong you're eyes just skipped over it each time?

    In other news, don't make loop iterators static class variables in multithreaded code.

  • InfidelInfidel Heretic Registered User regular
    Melkster wrote: »
    Campy wrote: »
    What exactly does the term "securely generated" mean in this context?

    Very near impossible for an external observer to guess or predict the generated result in advance.

    This is the only advantage?

    The only situation where it would be useful is if an attacker had access to the encrypted text, but not the row-level key component, right?

    BTW, I ended up using os.urandom() in Python's standard library-- https://docs.python.org/2/library/os.html#os.urandom

    Securely generated means that yes, but it's also important for everything to be securely generated as you're introducing this component into your overall encryption, which may or may not propagate any weaknesses. Real easy to do it properly so use the CSPRNG yes.

    The row-level component won't add any security to the plain-text, since without the main key on the application you can't derive the plain-text from the cipher-text and row-level key that you can view from a database dump alone. The only benefit really is that you don't leak information about the plain-text duplicates.

    This can be exploited if I have cipher-text access, and the meaning of the data can be abused due to dupes. For example, it might be sensitive information revealing a link between rows that otherwise should not be there (all from a particular client, say) but this all comes down to how sensitive the information leaked this way is.

    The other type of abuse is if I get read access to the table and I can inject plain-text, I can use known plain-text to match against cipher-text.

    e.g. if I am looking at a users table, and my credit card is encrypted, I can't decrypt your credit card but I can edit my own and see the resulting cipher-text, repeat and build up a table. Then compare my generated crypt-texts to the table and know the plain-text that it belongs to and tada, I'm pulling out credit card numbers without the key. This can be mitigated by row-level components but also by making sure you don't allow a user to generate a lot of crypt-text quickly. If I can iterate a credit card space quickly on your system then I might be able to make a full lookup table to instantly crack all your encrypted credit cards with relative quickness.

    OrokosPA.png
  • AngelHedgieAngelHedgie Registered User regular
    Echo wrote: »
    DD6opqRU0AAebx7.jpg:large

    cKQrf_d.jpg

    XBL: Nox Aeternum / PSN: NoxAeternum / NN:NoxAeternum / Steam: noxaeternum
  • LD50LD50 Registered User regular
    Someone just needs to recreate APL but with emoji instead of the IBM glyphs.

  • AngelHedgieAngelHedgie Registered User regular
    XBL: Nox Aeternum / PSN: NoxAeternum / NN:NoxAeternum / Steam: noxaeternum
  • thatassemblyguythatassemblyguy Janitor of Technical Debt .Registered User regular
    Orca wrote: »
    I just tested, and Trace32 Feb 2017 still doesn't like going through my USB3 hub. There may be some physical compatibility issue that's been fixed with more recent hardware (I've got a 5+ year-old USB2 podbus). Oh well...

    this is just so weird of a behavior. it's possible that it's related to a 2012 podbus, but that doesn't seem like it should be an issue either.

    *sigh* embedded

  • MelksterMelkster Registered User regular

    Oh, jeez.

    > I finally realized that the PIP process was a mere formality.

    Yeah... PIPs (Performance Improvement Plans) are a very bad sign. If you get one, there's a good chance that the company has decided that you're a bad fit, and they're establishing documentation in order to fire you. In the event that you sue them for discrimination on the basis of being the member of a protected class, they have the paper trail to help prove their case that they fired you for good cause.

  • LD50LD50 Registered User regular
    Maybe I'm super jaded or something but I don't know why they even tried to improve. The problem is systemic and it has to be trickling down from upper management. The problem will never be fixed if they have the same people in charge.

  • bowenbowen How you doin'? Registered User regular
    I was under the impression that github was literally firing everyone now because of it.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • EchoEcho ski-bap ba-dapModerator mod
    The back and forth we get with code reviews before merging into dev and then merging into master to make it go live kind of makes it feel like I'm knitting.

    ntc7jilljwe3.png

  • JasconiusJasconius sword criminal mad onlineRegistered User regular
    Melkster wrote: »

    Oh, jeez.

    > I finally realized that the PIP process was a mere formality.

    Yeah... PIPs (Performance Improvement Plans) are a very bad sign. If you get one, there's a good chance that the company has decided that you're a bad fit, and they're establishing documentation in order to fire you. In the event that you sue them for discrimination on the basis of being the member of a protected class, they have the paper trail to help prove their case that they fired you for good cause.

    its to protect them on a suit for any grounds

    but yes a PIP even at the most faithful companies is functionally a demerit and a death mark

  • LD50LD50 Registered User regular
    I mean, the alternative to a PIP is the kind of thing that someone in this very forum experienced with a superior keeping every possible mistake documented in some sort of hatefile to fall back on.

  • schussschuss Registered User regular
    When done properly they're good for getting someone back on track. That was a witch Hunt though, and based on her notes I'm betting she could Sue and win over wrongful termination

  • KakodaimonosKakodaimonos Code fondler Helping the 1% get richerRegistered User regular
    That whole team was set up to fail. In my experience if you're coming into an organization and you're going to making major changes to the culture, process or operations you need to have a direct line to a C* level executive who's willing to support the goal and spend the time clearing crap out of your way. Otherwise at best you're just going to get ignored and in the worst you'll be constantly undermined and sabotaged.

  • JasconiusJasconius sword criminal mad onlineRegistered User regular
    within 3 minutes of setting up error reporting emails on my development server, I started getting notices of 500's from apparently bots crawling for compromised phpmyadmin login pages and such

    that's pretty... aggressive

This discussion has been closed.