WTF Bites
-
@dcon You can also click the timestamp to reload it
-
@mott555 Layers are 20 predefined groups you can put stuff in so you can select, show, hide, or run some sort of process on or based on, all of them at once. Scenes are reusing the data in one Blender file to create a whole other Blender file, except they're still only one file. Neither gets involved much in 3D printing, since turning layers on and off tends to screw with manifoldness and you usually model related parts next to each other instead of in separate scenes.
-
It's not like OpenBSD had a bad security record, but this remote authentication bypass is so stupid it hurts:
-
WTF of my day: So, I had some issues with our „default“ parcel service DHL („default“ because you rarely get to choose when ordering online).
In order to prevent some of those issues (mostly due to me not being at home when the parcel arrives), I signed up for their delivery stations.
It‘s a service where there are special automated stations about 500 m to 1 km from your home which you can have a parcel sent to. Upon delivery you get a special code (through their app) and then can open one of the doors on this station your package is behind.
On Monday I ordered something to be delivered to this station for the first time. The order was a repeat, so I know the package is not too big.
By Monday evening the parcel appeared on the app‘s tracker with an estimated delivery date of Wednesday. Wednesday morning the app stated: „Parcel has arrived at the local distribution center in Hamburg and is now being loaded on the delivery driver‘s car“
Nothing more happened on Wednesday.
Today the app sent me a push notification: „Your parcel will be delivered on Friday the 6th!“
Huh?
But if I go into the app itself and look at the delivery details, it says: „Delivered“. But it also says: „The parcel is being prepared for delivery to the target destination.“
Wut? It‘s already here, why does it need to be shipped again?
Well, turn‘s out that if you go to the WEBSITE and check the status there, it says: „Return to sender“.
Why? I don‘t know yet.
Also: They made a big fuss about making sure that I’m actually the person I say I am and that I‘m living where I say I do - the whole thing is tightly coupled to an existing physical address!
So, even if there was some problem with that station - why don‘t they try to deliver to my actual address (which they know), or at least deliver to the central parcel station? Keep in mind, this central station is the one I have to go to if I‘m not at home when a parcel arrives...
-
So, even if there was some problem with that station - why don‘t they try to deliver to my actual address (which they know), or at least deliver to the central parcel station? Keep in mind, this central station is the one I have to go to if I‘m not at home when a parcel arrives...
Maybe the reasoning goes that if you went through all that trouble to get a spot at a delivery station, the contents of your packages might be too embarrassing to turn up at your (or your neighbor's) door. In that case it makes some sense to take that package back, though actually getting some confirmation per package would be nice...
-
It's not like OpenBSD had a bad security record, but this remote authentication bypass is so stupid it hurts:
It's common wisdom in SQL that you need to protect against SQL injection, e.g. by using prepared statements instead of building query strings manually. But for some reason it seems perfectly acceptable for UNIX stuff to use command line arguments as an "API" instead of, you know, actually putting functionality in libraries with a real API.
-
It's not like OpenBSD had a bad security record, but this remote authentication bypass is so stupid it hurts:
It's common wisdom in SQL that you need to protect against SQL injection, e.g. by using prepared statements instead of building query strings manually. But for some reason it seems perfectly acceptable for UNIX stuff to use command line arguments as an "API" instead of, you know, actually putting functionality in libraries with a real A
PBI.I think a lot of internet noise on this subject would be reduced if we talked about that in terms of ABI, not API.
-
So, even if there was some problem with that station - why don‘t they try to deliver to my actual address (which they know), or at least deliver to the central parcel station? Keep in mind, this central station is the one I have to go to if I‘m not at home when a parcel arrives...
Maybe the reasoning goes that if you went through all that trouble to get a spot at a delivery station, the contents of your packages might be too embarrassing to turn up at your (or your neighbor's) door. In that case it makes some sense to take that package back, though actually getting some confirmation per package would be nice...
They actually advertise on their page that if the parcel, for whatever reason, does not fit into the station, they'll divert it to the next central station instead.
But I now know why they did it this way: The sender did a small mixup and switched the address around.
I.e, instead of:
John Doe
99228855
Parcel station 123
12345 Hamburgthey did a
John Doe
Parcel station 123
99228855
12345 HamburgThe long number is my DHL ID number.
This is of course completely verboten! Nevermind that
a) the parcel made it all the way to the parcel station before being rejected,
b) all neccessary information is still on there
c) the app clearly was able to identify me from this info as the parcel shipping info appeared in the app without me doing anything
d) getting the parcel from the central station would require me to show my National ID card, so it's not as if I could simply steal the parcel without anyone being the wiser...
-
@Rhywden ah. The joys of jobsworths. That kind of "Even though it can't cause any problems for anyone and makes everyone's lives easier, it's not technically allowed which means you can't do it" attitude is such fun for all ages.
-
if I go into the app itself and look at the delivery details, it says: „Delivered“. But it also says: „The parcel is being prepared for delivery to the target destination.“
Did you order Schrödinger's cat?
-
@Zerosquare said in WTF Bites:
if I go into the app itself and look at the delivery details, it says: „Delivered“. But it also says: „The parcel is being prepared for delivery to the target destination.“
Did you order Schrödinger's cat?
It would actually be a trinary in this case:
- the parcel is delivered
- the parcel will be delivered
- the parcel will not be delivered
-
@Rhywden By your telling, when the third option came along the waveform collapsed.
-
@PleegWat Though, we really should make it more fitting to the theme of the forum:
bool isPackageDelivered { true, false, RETURN_TO_SENDER }
-
We need to change the Foo report. We use this to give to our contractor every month and currently we have to manipulate it a lot before we can give it to them. Can you remove this stuff and make $thesechanges?
Does anyone else (other organizations there) use this report? Are these changes OK with them? We'll check....next weekly meeting...
What's the status of the Foo report? Did you find out if anyone else (other organizations there) use this report? Are these changes OK with them? We checked. Go ahead and make the changes!...changes were made...
tests the updated report and gives it the thumbs up...a few days pass...
URGENT! OtherOrgneeds$databack on the report!LOLGF
-
@boomzilla said in WTF Bites:
RGENT! OtherOrg needs $data back on the report!
and of course it's somehow your fault that the data is missing.... yep. there's now way
could possibly be responsible for that. nope. absolutely impossible.
-
@boomzilla As usual, it's more effective to change things without asking first, and then see who complains about it.
-
@boomzilla said in WTF Bites:
It's not like OpenBSD had a bad security record, but this remote authentication bypass is so stupid it hurts:
It's common wisdom in SQL that you need to protect against SQL injection, e.g. by using prepared statements instead of building query strings manually. But for some reason it seems perfectly acceptable for UNIX stuff to use command line arguments as an "API" instead of, you know, actually putting functionality in libraries with a real A
PBI.I think a lot of internet noise on this subject would be reduced if we talked about that in terms of ABI, not API.
Not sure what you're trying to point out here. Using their examples, an API is something like
struct passwd *getpwnam(const char *name);An ABI additionally defines details like order of parameters (only one here), if things get passed on the stack or in registers, etc. Of course you also need compatible ABI, but that's not usually a problem when things are compiled from the same source and with the same compiler.
On the other hand, with an "API" in scare quotes I meant executing a process like
$ passwd boomzillaand passing text as input/output.
-
it seems perfectly acceptable for UNIX stuff
There's also the common pattern of "curl this shell script directly into your command line as root"
-
it seems perfectly acceptable for UNIX stuff
There's also the common pattern of "curl this shell script directly into your command line as root"
-
There's also the common pattern of "curl this shell script directly into your command line as root"
Yes, but how different is that really from "download this installer.exe and run it as
rootAdministrator"? If the installation process needs root, there's not really much you can do other than trust the source.At least with the shell script you can decide to first download and try to decipher it and figure out what it does. That said, I think that most people would have about the same chance of actually spotting an intentional exploit as they would with reading the raw machine code.
-
@boomzilla said in WTF Bites:
It's not like OpenBSD had a bad security record, but this remote authentication bypass is so stupid it hurts:
It's common wisdom in SQL that you need to protect against SQL injection, e.g. by using prepared statements instead of building query strings manually. But for some reason it seems perfectly acceptable for UNIX stuff to use command line arguments as an "API" instead of, you know, actually putting functionality in libraries with a real A
PBI.I think a lot of internet noise on this subject would be reduced if we talked about that in terms of ABI, not API.
Not sure what you're trying to point out here. Using their examples, an API is something like
struct passwd *getpwnam(const char *name);An ABI additionally defines details like order of parameters (only one here), if things get passed on the stack or in registers, etc. Of course you also need compatible ABI, but that's not usually a problem when things are compiled from the same source and with the same compiler.
Yes, and that's exactly the sort of stuff that causes problems. Usually WRT quoting and how exactly to make that work. It's that level of details where the problems occur. That's what I'm saying.
Sure, sure, not usually. Well, here we are! Unusual city! The ABI sort of level is where the problems occur, largely because it's not handled by the compiler, etc, and has to be dealt with by the users (programmers) all the time.
-
As encountered today:
fooNumber nvarchar(25)
-
I've not had a paid Spotify account since 2017.
I don't have it installed on any devices and I've not, to my knowledge, used Spotify since then.
I went to the site linked on the email.
Good work, Spotify.
-
@loopback0 said in WTF Bites:
I went to the site linked on the email.
Was it actually spotify? Sounds like phishing.
-
@boomzilla I saw an article on one of my tech news feeds that Spotify was doing some kind of a year-end "wrapped" thing. Then again, both that and the phishing could be true.
-
-
@hungrier it sounds like the kind of thing lots of sites do, but @loopback0's use of "I went to the site linked on the email" vs "I went to spotify" threw up a red flag.
-
@boomzilla said in WTF Bites:
@loopback0 said in WTF Bites:
I went to the site linked on the email.
Was it actually spotify? Sounds like phishing.
Yes. I also tried the same page from the Spotify website with the same result.
-
@boomzilla said in WTF Bites:
@loopback0's use of "I went to the site linked on the email" vs "I went to spotify" threw up a red flag.
Accidentally poorly worded. It was supposed to say "the page linked on the email".
-
@boomzilla said in WTF Bites:
As encountered today:
fooNumber nvarchar(25)Government paperwork is full of alphanumeric "numbers".
-
@boomzilla said in WTF Bites:
As encountered today:
fooNumber nvarchar(25)Government paperwork is full of alphanumeric "numbers".
This column is really numbers, though. Just stored as strings.
-
@boomzilla I saw an article on one of my tech news feeds that Spotify was doing some kind of a year-end "wrapped" thing.
Those Spotify wrap-ups are pretty cool.
Never heard of Gaian Doom before.
This year was pretty slow in music department
-
@boomzilla said in WTF Bites:
This column is really numbers, though. Just stored as strings.
Are they numeric numbers, like sums and counts, or identifiers that happen to use only numeric digits?
-
@boomzilla said in WTF Bites:
This column is really numbers, though. Just stored as strings.
Are they numeric numbers, like sums and counts, or identifiers that happen to use only numeric digits?
Their whole purpose is to use them to sort things so they are always in a particular order. In this case, each
Barhas some number (0..many)Foos, and thefooNumberkeeps them in some order when you print them out.
-
-
"You're open to new genres of music."
(lists 5 subgenres of metal)So, only the good genres
-
Spotify's color scheme is
-
@Zerosquare if your
looks like Spotify's color scheme, you really should see a doctor.
-
@boomzilla said in WTF Bites:
@boomzilla said in WTF Bites:
As encountered today:
fooNumber nvarchar(25)Government paperwork is full of alphanumeric "numbers".
This column is really numbers, though. Just stored as strings.
And even Unicode strings at that.
-
@JBert it's almost 2020 - why the hell do people still find it notable when text is Unicode!?
-
@Gąska Here it's the reverse reaction of "why isn't this Unicode" - if you know that it's a number then you also know it uses just ASCII characters.
Admittedly, if that nvarchar column uses UTF-8 underneath then you will not see any difference between ASCII and UTF-8, but if it uses UTF-16 or UTF-32 you're just reserving space in your database storage for international characters which are never going to be there.
-
@boomzilla said in WTF Bites:
Their whole purpose is to use them to sort things so they are always in a particular order.
Luckily numbers-stored-as-strings sort exactly the same way as numbers-stored-as-numbers.
Oh...
-
-
@loopback0 said in WTF Bites:
@boomzilla said in WTF Bites:
Their whole purpose is to use them to sort things so they are always in a particular order.
Luckily numbers-stored-as-strings sort exactly the same way as numbers-stored-as-numbers.
Oh...
Luckily I'm migrating the data so I can fix dumbassery like that.
-
It's common wisdom in SQL that you need to protect against SQL injection, e.g. by using prepared statements instead of building query strings manually. But for some reason it seems perfectly acceptable for UNIX stuff to use command line arguments as an "API" instead of, you know, actually putting functionality in libraries with a real API.
The problem is mixing up between admin-specified options and attacker-specified main arguments. At least there isn't an inherent problem with word boundaries (assuming they're using the right
exec()syscall) but care still needs to be taken. The care required usually consists of ensuring the targets support a--(end of options) option, which is a common convention, and that the caller uses it in the right place. It isn't hard to do or test, but it does need to be actually done to be effective.The class of problem would common in my favourite language's standard library too, except that's largely written by total paranoiacs and so already has the mitigations in place. (Except, ironically, for when doing an
execbecause of a colossal historic fuckup.) Not all the userbase understands the importance of this stuff, but when did users ever really get that sort of thing?
-
@Gąska Here it's the reverse reaction of "why isn't this Unicode" - if you know that it's a number then you also know it uses just ASCII characters.
No. Just no. Stop being smart. Text is Unicode. No exceptions. There is no ASCII. There is no EBCDIC or JIS. There is no ISO-8859. There are no codepages other than 65001. Everything is Unicode and the rest doesn't exist. Please, for the love of God, save us all the pain of translating encodings ever again and just pretend there is no other encoding but Unicode. No matter how many bytes it wastes. Memory is cheap, tears of the developers aren't. Remember that every single piece of code you've ever written and will ever write has a potential to live for 30 more years, and who knows what will be the requirements then.
-
@Zerosquare if your
looks like Spotify's color scheme, you really should see a doctor.
then, the :@aliceif: favourite!
-
has a potential to live for 30 more years, and who knows what will be the requirements then.
Let's hope the requirements will still be Unicode
-
@TimeBandit it might not be Unicode anymore, but I'm dead certain the first 1.1 million code points of any new encoding will be the same.
-
Another WTF of my day: My internet connection at home keeps crapping out - it's a VDSL connection. Sometimes it will work for days, on other days it will lose the DSL synchronization regularly, like 5 times a day. As this leads to 2 minutes of no internet and, of course, always at the least desirable times, I contacted my provider about it.
First they had this self-help tool which supposedly does something on their end to check the connection status. Ultimately resulting in a
503...... so off to the telephone hotline we went. Didn't even have to wait long, the support guy seemed to be helpful, opened a ticket and did some thing which he said might help. He then reset my router and told me that they'd do a statistic on my line. As that would take a bit, he'd then call back a 7pm this evening but giving me my ticket number regardless.
Didn't seem to help much - just this morning my iPhone greeted me with: "O hai, your WLAN does not have an internet connection. Do you want to use LTE instead?"
Of course there was no callback. And just now I got an SMS: "We just cancelled your ticket. Kind regards, FuckersFromProvider."
Jobsworth - Wikipedia
