WTF Bites
-
MoviePass sent subscribers a bizarre apology email written from a dog's point of view, and many found it insulting and unhelpful
MoviePass users are not pleased with a strange email with a picture of a dog and a note from the company's "Director of Barketing."
-
I'm trying to edit text remotely and within five minutes I have twice started mistyping symbols, first because the remote layout was "helpfully" changed, then because the local layout was "helpfully" changed.
So this just happened.
- Hit Shift+2 to type
"."was typed. - Hit Ctrl+V to paste a string. String was pasted.
- Hit Shift+2 to type
".ªwas typed.
No combination of Ctrl, Shift, Alt, Win and Space make the keyboard language switch, if you're thinking I mispressed keys.
Did the string on the clipboard contain locale or font information?
WYSIWYG editors will often do something like this with typefaces, colors, and other font style attributes.I don't think Notepad (from which I copied) and Visual Studio (to where I pasted) do WYSIWYG.
Ah, okay. Notepad doesn't, and Visual Studio does only when copying from its editor (allows pasting syntax-highlighted code). So, yeah, that's not it, then.
- Hit Shift+2 to type
-
@Cursorkeys said in WTF Bites:
I have a user like that, he likes IT and wants to help but only has superficial knowledge...generally he just breaks things, but his heart's in the right place
I have a coworker like this. He's my manager.
-
Why answer at all then?
This sort of thing happens fairly often. I think Amazon sends emails that to the less computer literate might look like they're sent directly to the buyer as direct questions, so not responding would be rude. Hence the replies that look ridiculous on a reviews page
-
It's all pretty simple unless you're wanting to also give them interactive access to the model
We had ideas about implementing some kind of sessions later, since the parameters the user might be interested in changing interactively can actually be changed without any reallocations or costly
SELECTs. But that would either require talking to a console application and not causing deadlocks due to buffering and whatnot or implementing a proper RPC.(One tricky bit: you need to be careful with the actual process launch, which can momentarily use quite a lot of resources due to the usual chunkiness of web servers relative to their hosting machine.)
You mean, I should manually impose a limit on the number of subprocesses launched by the web application at the same time? Or should I be careful about something else, too?
I wouldn't write a web application entirely in C++. It's not impossible to do, of course not, but it is miserably provided for via existing libraries by comparison with so many other languages.
I can imagine validation code being harder to write properly. Thankfully, most of our needs could be covered by a single function. Except it uses
atofof all things and might cause locale-related problems.Thank you for your insights!
-
You mean, I should manually impose a limit on the number of subprocesses launched by the web application at the same time? Or should I be careful about something else, too?
The cost of launching a subprocess can, in some cases, relate strongly to the size of process that is doing the launching. Sometimes, webservers can run rather fat by comparison with the environment in which they're running, making subprocess launching rather expensive. It's a very minor thing in a lot of cases; servers aren't usually configured to be quite so mean with RAM any more. (And if you're used to using configurations designed for Ruby-on-Rails, none of this will make sense to you, as those tend to need insanely much resources.)
-
Don't you just love Linux? I just tried to install a Clonezilla Server. First I ran into countless key issues because either the repositories I'm supposed to add don't have their shit together or the key has issues.
After solving that one I tried to configure the server itself. This was the point where Linux was "helpful": Because, you see, I have two network interfaces on this PC - one built-in and one USB adapter.
Only one is connected to the regular LAN because the other one (as per the documentation) will provide DHCP services. And I deemed it easier to have two separate networks.
There's just this one bit: Debian helpfully recognizes that one of the two cards is not connected to an actual network (just connected to a switch) and turns that card off. Mucking about with /etc/network/interfaces (or whatever) doesn't remove that annoying habit.
Thus the server config tool whines that there's only one network card (even though both
ifconfigandip addressshow both cards just fine) and I'm a bit annoyed.
-
-
@Tsaukpaetra Yeah. But, as I said,
ifconfigreported the interface as "up" but networkmanager said it's down. Not sure where the problem lies.Currently trying to use their Live system - this one runs from a USB stick which had no problems with the interfaces for some reason (apart from a moronic "30 second timeout for wifi")
But that system had two problems:
a) PXE boot was not reliable - the client recognized the presence of PXE but somehow failed to fetch the image, running into timeout sometimes.
b) Upon shutdown the USB drive was severely corrupted which necessitated the use ofddto make the stick work again because Windowsdispartwanted no part of it.
-
Instagram stored your passwords as plaintext (and we only got to know thanks to the GDPR).
Instagram. Part of fucking Facebook that runs like what, a quarter of all page impressions on the Intertubes? In plaintext.
When I buy a used car for $5000 I take it to a mechanic to make sure it passes basic security checks -- brakes doing what they should, no leaking shit in hidden places etc. Apparently Facebook has a CSO who doesn't see it as his job to do the same when they buy a used company for $1b.
-
The company informed users that if they had used the “download your data” tool, their passwords were accidentally exposed because they were included in the URL. (...) a company spokesperson downplayed the issue, saying that the company only stores password hashes.
So, plaintext passwords and including passwords in URLs. And when they get caught with the hand in the cookie jar, they still deny it.
sigh
We need to bring back tarring and feathering.
-
...but networkmanager said it's down. Not sure where the problem lies.
Networkmanager. If your network is wired, there's really no reason to use it other than inertia.Some software is evergreen.
Networkmanageris everbuggy, always in headscratching ways.
-
@bugmenot Solved the issue: It seems that editing
/etc/network/interfacesby hand is now deprecated.Instead you need to do the follwing:
Use
netplanto create a YAML file which describes your network interfaces.
Edit this YAML file
Usenetplantoapplythis fileNow both interfaces are shown as online even though
/etc/network/interfacesdoesn't really look different from what I entered before.
-
Instagram stored your passwords as plaintext (and we only got to know thanks to the GDPR).
The linked article actually says:
The company informed users that if they had used the “download your data” tool, their passwords were accidentally exposed because they were included in the URL.
As I see it, this could happen without storing passwords as plaintext. Behold:
<form action="/getmydata"> <input type="text" name="username" /> <input type="password" name="password" /> <button type="submit">Give me my data</button> </form>The problem?
<form>without amethod="POST"submits data via GET, and all the form data, including your password, ends up in the URL and all the logs. Not stored with all other data they have, just leaking here and there. Still a big fuckup, but not "lol plaintext passwords" level.
-
Still a big fuckup, but not "lol plaintext passwords" level.
Eh, I feel like it's possibly worse, as frontend security ought to be a bigger concern than internal. Plaintext is "only" an issue if someone breaches your database or an untrustworthy employee has a snoop. Sending passwords through GET affects anyone who uses the form at any point.
-
@kazitor Fair points. But the number of people who actually used the GDPR form is much much lower than the overall number of people in their databases, and each form usage only reveals that one user's password, not everyone's.
-
@DCoder True, plaintext in the database is less likely to cause huge problems but has a much higher volume of potential for disaster.
-
WTF of the day: I'm using code that a cow-orker wrote to import/export data to a specific format. So, get the application running, load data from database, then use the export function to get the data to a file. Check the file, looks good. Nice. Now for reloading. Start again, use the import function. Uh, nothing happens. OK, having an error message would be nice but maybe the file is actually malformed, let's look a bit more closely at it? Oh wait, the file is still there but it's empty...
So, not only did he manage to write a buggy import function, he also managed to make it buggy in such a way that it actually deletes all the content of the file!
I guess that's what he meant when he said that the import function was "consuming data"...
-
@remi ... and the bug was just a simple typo that caused the "file open mode" to be uninitialized. In my case, it happened to therefore be initialized to a value that meant "truncate file", hence the 0-size after opening the file. This might actually explain why he didn't see the bug as he's mainly working on a different platform than I do and it might well be that on his platform the variable ends up initialized to a different value that worked for him. Proper tests (what's that?) would probably have helped but...
Could have been worse.
-
@remi It's totally understandable,
fopen("backup.bak","r")can easily turn intofopen("backup.bak","delete the entire file with extreme prejudice"); the keys are right next to each other.
-
Instagram stored your passwords as plaintext (and we only got to know thanks to the GDPR).
The linked article actually says:
The company informed users that if they had used the “download your data” tool, their passwords were accidentally exposed because they were included in the URL.
As I see it, this could happen without storing passwords as plaintext. Behold:
<form action="/getmydata"> <input type="text" name="username" /> <input type="password" name="password" /> <button type="submit">Give me my data</button> </form>Certainly a possibility, although one would think they'd use their regular login form as opposed to some 90s abomination ad-hoc hacked up by the intern, and then use the session ID in that tool like on any other part of the site.
I hope the Sophos guy has looked at the HTML when he says what happened shouldn't be possible without a stored plaintext password.
-
and the bug was just a simple typo that caused the "file open mode" to be uninitialized
*nervous twitch*
-
and then use the session ID in that tool like on any other part of the site.
In their defense, it kind of makes sense to add an extra "lets be really sure that this person is actually who they say and not someone who stole their session id/jumped on the computer while the actual owner went to the bathroom". Except they did it incompetently.
-
and the bug was just a simple typo that caused the "file open mode" to be uninitialized
*nervous twitch*
It was clearly a copy-paste badly edited. Not sure if that's reassuring or not...
Note that when I said a "simple typo", I didn't imply that it was a minor bug without any repercussion. It's just that that bug itself was tiny and the mental process that lead to it was also pretty simple (it's not like there were 100's of lines of convoluted and faulty logic that needed entirely rewriting). Now for the rest... our team's way of working is probably worthy of many front page articles (inb4...), and that's just one example!
-
@remi It's the whole thought that a compiler or interpreter could usefully keep going on with an uninitialised variable and do something that even sometimes works that just gives me the heebie-jeebies.
-
@dkf Welcome to C/C++...
-
@remi Tell your compiler to not let you do that.
-
@remi Although ISTR that Visual Studio is doing something that's not entirely stupid in that case, something along the lines of initialising to 0 (when possible) in release mode and to some-non-zero value in debug mode, which more or less guarantees that you'll see maximum weirdness in debug (thus ensuring you'll catch the bug) and reasonable behaviour in release (to minimize actual weirdness for users). Not sure if that's really a good idea, but I guess in that case anything is a bad idea anyway, so...
-
@remi Tell your compiler to not let you do that.
The day all system and 3rd-party libraries compile with that flag, I would happily turn it on...
(I think the issue is that in some weird syntaxes the compiler can't really know easily, so while there is a warning there are some false positives and of course complex code, in particular low-level libraries, is bound to use that syntax from time to time...)
EDIT: the most trivial case is stuff like
int i; if (...) i = 0; else i = 1;which triggers the warning but is actually fine -- of course that specific code can easily be fixed by initialisingiin the declaration, but as soon as some 3rd-party code does this, you're screwed until you get the vendor to fix it, and good luck to tell them it's a high-priority item.
-
I think the issue is that in some weird syntaxes the compiler can't really know easily
The solution there is trivial: assume uninitialised unless you can prove otherwise. Indeed, the compiler damn well ought to know everything that is going on except for memory-mapped I/O, and if you're using memory-mapped I/O to initialise the flag for opening a file, you're doing something terribly, horribly, eye-wateringly, gut-wrenchingly WRONG. (And yes, compilers can definitely get this right. Flow analysis makes it easy to determine, and that's how all compilers worth the name work these days.)
-
@dkf I have no idea how VS or gcc (the two compilers we use) work, except that in that specific case they never spouted a warning on that code, trivial or not. Why that is so (except variations of "b/c they're crap"), your guess is probably much better than mine since I'm in no way a compiler expert.
So at that point... yes that was bad code, yes in theory the compiler should have caught it but for some reason it didn't, and yes our development methodology should have caught it but it also didn't (see my comment above above it being front-page worthy). I'm slowly trying to work on that last one, I don't see what more I can do apart from fixing the bug when I see it.
-
@remi The last time I used VS, which is a decade or two ago, it defaulted to setting everything to 0 in debug compiles, but in prod compiles it just left the memory as whatever it happened to be. It did it that way because it was faster to not initialize everything, and in debug, everything is slow anyway.
-
@remi The last time I used VS, which is a decade or two ago, it defaulted to setting everything to 0 in debug compiles, but in prod compiles it just left the memory as whatever it happened to be. It did it that way because it was faster to not initialize everything, and in debug, everything is slow anyway.
Seems designed to keep a certain element of surprise in the release process.
-
@LaoC It's your own damn fault for not initializing memory. Same way Rust integer overflows give you panics in debug and wrap-arounds in prod.
-
@pie_flavor said in WTF Bites:
@LaoC It's your own damn fault for not initializing memory.
Yes, iff it emits a warning.
Same way Rust integer overflows give you panics in debug and wrap-arounds in prod.
That's exactly the other way round, and it makes sense. It makes errors raise big red flags in testing (at least if you do proper testing, otherwise there's little the compiler can do) instead of making everything nice and deterministic and probably-what-you-wanted-anyway in testing and unpredictably heisenbuggy in production.
-
@dkf I have no idea how VS or gcc (the two compilers we use) work, except that in that specific case they never spouted a warning on that code, trivial or not. Why that is so (except variations of "b/c they're crap"), your guess is probably much better than mine since I'm in no way a compiler expert.
So at that point... yes that was bad code, yes in theory the compiler should have caught it but for some reason it didn't, and yes our development methodology should have caught it but it also didn't (see my comment above above it being front-page worthy). I'm slowly trying to work on that last one, I don't see what more I can do apart from fixing the bug when I see it.
gcc -Wall -Wextra -pedanticcl /Wall
-
@remi The last time I used VS, which is a decade or two ago, it defaulted to setting everything to 0 in debug compiles, but in prod compiles it just left the memory as whatever it happened to be. It did it that way because it was faster to not initialize everything, and in debug, everything is slow anyway.
Dunno about earlier versions, but VC2008 and later all initialize memory in debug with weird patterns like 0xCDCDCDCD - so it's easy to see what's uninitialized and (almost) make sure it crashes on read.
-
@dkf I have no idea how VS or gcc (the two compilers we use) work, except that in that specific case they never spouted a warning on that code, trivial or not. Why that is so (except variations of "b/c they're crap"), your guess is probably much better than mine since I'm in no way a compiler expert.
So at that point... yes that was bad code, yes in theory the compiler should have caught it but for some reason it didn't, and yes our development methodology should have caught it but it also didn't (see my comment above above it being front-page worthy). I'm slowly trying to work on that last one, I don't see what more I can do apart from fixing the bug when I see it.
gcc -Wall -Wextra -pedanticcl /WallThe day all system and 3rd-party libraries compile with that flag, I would happily turn it on...
-
@Gąska Yeah, I think I got it wrong, it's the other way round from what I thought. The point is, different compilers initialize uninitialized memory (yeah, I know...) in different ways, and some try to do it in some way that helps you catch the error, which does help a tiny little bit...
-
This post is deleted!
-
The cost of launching a subprocess can, in some cases, relate strongly to the size of process that is doing the launching.
Do you mean the cost of forking? I thought modern Unices had more or less cheap
forkbecause of copy-on-write (and there is alsoposix_spawn) and Windows wasn't supposed to have this problem because of their spawning model.
Any keywords I could search to read up more?
-
@aitap embedded.
-
The cost of launching a subprocess can, in some cases, relate strongly to the size of process that is doing the launching.
Do you mean the cost of forking? I thought modern Unices had more or less cheap
forkbecause of copy-on-write (and there is alsoposix_spawn)Creating a shit-ton of cow-pages from your CAD program just to spawn notepad and throw them all away immediately after is still the most retarded thing imaginable. But hey, at least Thompson or whoever wrote that could squeeze it in a few lines 50 years ago.
-
@kazitor Fair points. But the number of people who actually used the GDPR form is much much lower than the overall number of people in their databases, and each form usage only reveals that one user's password, not everyone's.
But are the GDPR form, the system that processes the form data and generates those exports, and the system that holds the finished exports all secured properly?
-
to be uninitialized
Speaking of, en route to trying to make the game servers run on Linux I discovered apparently it's a Bad Idea to initialize variables out of order. Who knew?
-
... and the bug was just a simple typo that caused the "file open mode" to be uninitialized. [...] Proper tests (what's that?) would probably have helped but...
Could have been worse.No, including
-Wall -Wextrain your CFLAGS would have helped. And-Werror, if you can't get a proper warning policy through to them.
-
@dkf I have no idea how VS or gcc (the two compilers we use) work, except that in that specific case they never spouted a warning on that code, trivial or not. Why that is so (except variations of "b/c they're crap"), your guess is probably much better than mine since I'm in no way a compiler expert.
So at that point... yes that was bad code, yes in theory the compiler should have caught it but for some reason it didn't, and yes our development methodology should have caught it but it also didn't (see my comment above above it being front-page worthy). I'm slowly trying to work on that last one, I don't see what more I can do apart from fixing the bug when I see it.
gcc -Wall -Wextra -pedanticcl /WallThe day all system and 3rd-party libraries compile with that flag, I would happily turn it on...
-isysteminstead of-Ifor your third party headers. Not sure what the VS equivalent is.
-
The cost of launching a subprocess can, in some cases, relate strongly to the size of process that is doing the launching.
Do you mean the cost of forking? I thought modern Unices had more or less cheap
forkbecause of copy-on-write (and there is alsoposix_spawn) and Windows wasn't supposed to have this problem because of their spawning model.
Any keywords I could search to read up more?Copying the page table is still pretty expensive, and I don't think linux has a
posix_spawnsystem call yet. Having it as a library doesn't solve any performance problems.
-
@Zerosquare said in WTF Bites:
We need to bring back tarring and feathering.
TheDailyWTF?
Oh, literal TaF - I approve.
-
@aitap embedded.
Creating a shit-ton of cow-pages just to <...> throw them all away immediately after is still the most retarded thing imaginable.
Copying the page table is still pretty expensive,
Right, thank you. Making an option cheaper than the most expensive one may still leave it expensive.
and I don't think linux has a
posix_spawnsystem call yet. Having it as a library doesn't solve any performance problems.For what it's worth, glibc tries to squeeze some extra juice and avoid copying page tables (AFAIU). But yeah, that's not a separate syscall.
