WTF Bites
-
@Benjamin-Hall said in WTF Bites:
WTF Status First,
is me for not remembering which password I had as my wifi. The second is Xfinity, for making me re-setup my router because the app forgot what I had. Despite it all working perfectly. The third is Apple. And that's the one I want to rant about.You see, I have a Macbook Pro for work. It was happily connected to the wifi. And then the password changed. Did it
- realize it had changed when it got unceremoniously dumped and couldn't reconnect and raise a warning?
- Just go offline and sulk?
- Something infinitely more stupid?
If you guessed 3, yup, you know apple. It instead went into a doom loop of trying to connect, failing, then trying to connect again, in such a tight loop that it made the wifi settings page not even show up until I rebooted. And even then, it would just flash on and then off, making it impossible to say "forget this network" or do anything else. I had to go into advanced settings, remove it from the list, then reconnect. No, I couldn't right click, because macs only gracefully handle one button. It Just Works my overweight butt.
At $work, we have three wi-fis: one for devices joined to the active domain, one for employee devices not in the active domain, and one for visitor devices. The one for devices in the active domain is secured by some crypto automatically deployed by said active domain and generally just works. The one for visitor devices uses time-limited passwords, but that's only for visitors as you need to get one through the receptionist. And the one for employee devices not in the domain—which is used for customer devices and sometimes personal devices—uses the AD account for authorization.
Now the domain password has to change every six months. And ten failed attempts to log in will get your account locked and you have to go to the admin to get it unlocked again. So behaviour like this would get you promptly locked out after changing your password. … hm, and I don't remember whether the macs some use have the domain-authenticated thing on them or not.
Even phones sometimes do it—they are also too dumb to realize they've got the wrong password and stop trying to use it, and as you walk around, the phone may be trying to re-connect (the offices need a couple of repeaters for coverage) and get your account locked. Yay for security worst practices.
-
@Tsaukpaetra said in WTF Bites:
but makes me cry when I look at the prices.
How do they compare in Freedom units?
It's about one Playing Card per Imperial Djiggabait.
-
@Benjamin-Hall If it wasn’t for me encountering other Appleisms in a similar vein I would be surprised.
Although when my password changed at work and I had to log into the wifi again on my Linux box I also had to forget the entire network to be able to log in properly, which is fun because I need to go into the network settings and change a detail because it uses non-standard corporate network setting which can’t be auto-detected because everyone expects the standard I guess.
-
@Benjamin-Hall said in WTF Bites:
Heck, my printer was more sane than it was. It just went "welp, I can't connect" and let me type in the password again.
Huh, curious, I have the opposite Apple experience.
The gym I go to has an eduroam wifi access point I connect to, but sometimes it's flaky as hell. So whenever it loses connection, it asks me again for the fucking password. Which is 24 letters long (IT policy) and typing passwords on a phone is doubly-retarded because 1980s "hide the password while typing" cargo-cult shit.
Just use the saved password already and connect when it's stable.This reminds me of how stupid Thunderbird was 15+ years ago: I had my passwords saved in its password manager, but whenever a server barfed and Thunderbird failed to fetch emails, it figured "oh, the saved password must be wrong. Guess I'll just delete it!"
-
@Benjamin-Hall said in WTF Bites:
Heck, my printer was more sane than it was. It just went "welp, I can't connect" and let me type in the password again.
Huh, curious, I have the opposite Apple experience.
The gym I go to has an eduroam wifi access point I connect to, but sometimes it's flaky as hell. So whenever it loses connection, it asks me again for the fucking password. Which is 24 letters long (IT policy) and typing passwords on a phone is doubly-retarded because 1980s "hide the password while typing" cargo-cult shit.
Just use the saved password already and connect when it's stable.This reminds me of how stupid Thunderbird was 15+ years ago: I had my passwords saved in its password manager, but whenever a served barfed and Thunderbird failed to fetch emails, it figured "oh, the saved password must be wrong. Guess I'll just delete it!"
Have you tried just never having anything go wrong anywhere?
-
get your account locked
Happened to me every time I had to change passwords. Fun times.
-
Status: I hate banks and their stupid sEcUrItY
so much.Earlier this year, the bank where I have a money market account and a stock deposit changed their auth method from password + TAN list to 2FA. Now I got a password and have to verify logins with the banking app on my phone. Okay, fine, that's actually 2 factors so far.
Well, for using online banking on the PC, yes, but I can do the same thing with the phone. There I had to enter the password once and saved it, and of course it doesn't require itself to authenticate itself. So the phone is all factors at once. Not surprising.But that brings me to today. This bank, just like my other bank, insists on logging you out of your session after
5 milliseconds5 minutes of inactivity. Why? Maybe because the encrypted connection got hacked in the meantime, who knows. Or maybe yourtoddlercat would walk over the keyboard, but you're not adult enough to get an option to turn this shit off. Not much of a problem for the app, though, because of its one-factor-to-rule-them-all authentication.So I check some account stuff on the app. When I'm done I see some info in the clickbait area about the EU fucking with cash, again. I click it and the app opens the article on their main website (i.e. outside the account page) in the browser. I read through it, not particularly concentrated or fast, and then I get the 5 minute popup:
Oops. Your session has expired. Log in again Back to main pageI can't just dismiss the thing. No X, no clicking outside the popup, and no way to read the remaing paragraph behind it. I certainly don't want to "log in again", which, since I'm now on the web version, would entail entering the password (in the phone's browser) and then switching to the app to acknowledge this login. So I click the only remaining option. It does bring me back to their home page.
I know these articles are available from there, somewhere, without being logged in. But I can't immediately find it from there, and the browser's back button doesn't want to bring me there either without giving me a log-in screen.If I had read this shit on the laptop, I would've just used my "kill sticky" bookmarklet.
-
@topspin I'm sorry to report that not logging out, ever, is a security problem. Now, I know this because of... uh, certain site with poorly designed user-side caching.
you're not adult enough
You may be (not that there's any evidence of that
). But people in general clearly aren't. They want to use things and they've been monkey-trained to by all the apps that after registration (if any) they never need to login again. Naturally it creates ever more stupid responses to counter that.
-
@Applied-Mediocrity if you’re using online banking from a public terminal, not logging out for even one minute would be a “security problem”. So clearly even 5 minutes or 30 seconds is too long. But is it, really? Since you still need a TAN to do anything significant even if you’re logged in.
Who fucking does that, though? It’s my computer at home. I’m the only one who has access to it, and if I wasn’t the only one, I’m not afraid of my family stealing my money. Not logging out for 5 minutes is not a security problem. Fuck off.
5 minutes is too fucking short. 15 minutes would be too short, too. 30 minutes would be barely acceptable.
I’ve previously been logged out while actively in the process of doing baking related stuff.And “logging me out” of a part of the website that doesn’t need a log in if you don’t already have an active session is pants-on-head-retarded.
-
I’ve previously been logged out while actively in the process of doing baking related stuff.
Why are you in the kitchen making bread while you're logged into your banking website?
Filed under: Not that kind of bread
-
@HardwareGeek you know what I meant.
-
@HardwareGeek said in WTF Bites:
Why are you in the kitchen making bread while you're logged into your banking website?
-
: If those people are in management, they sold their soul a long time ago.
-
@Zerosquare said in WTF Bites:
: If those people are in management, they sold their soul a long time ago.
If they ever had souls, they wouldn't have become managers.
-
You're right, I was confused.
The ones who sold their soul for a quick buck are, of course, sales & marketing people.
-
Can’t be worse than anything else I read I suppose.
-
@Applied-Mediocrity You could have taken the following day's strip too:
Seh-Kyoo-Ree-Tty!
-
Status: I just realized that it seems the Camera App in Windows 11 flips the camera for no reason, and offers no way to not-flip it.
Teams:
Camera App:
Chrome:
Sadly, I cannot ask any present monkey to hold up a sign for legibility verification, but Teams is showing the correct view...
-
@Tsaukpaetra said in WTF Bites:
Sadly, I cannot ask any present monkey to hold up a sign for legibility verification, but Teams is showing the correct view...
To you it is. But what is it broadcasting?
-
@Tsaukpaetra said in WTF Bites:
Sadly, I cannot ask any present monkey to hold up a sign for legibility verification, but Teams is showing the correct view...
To you it is. But what is it broadcasting?
WYSIWYG.
Edit: Confirmed by calling a rando and asking what he see.
Edit edit: But it doesn't fuck up a USB-connected camera?!
-
@Tsaukpaetra said in WTF Bites:
Edit edit: But it doesn't fuck up a USB-connected camera?!
If it's USB-C, try plugging it the other way
-
@Tsaukpaetra said in WTF Bites:
Status: I just realized that it seems the Camera App in Windows 11 flips the camera for no reason, and offers no way to not-flip it.
Use a machine without a camera and you don't have to worry about it!
The Camera app on my Windows 11 tablet acts like I'd expect, I guess: the rear camera view looks just like what's behind it and the front camera view looks like you're looking in a mirror.
-
Use a machine without a camera and you don't have to worry about it!
Well you're not wrong...
-
-
@Tsaukpaetra said in WTF Bites:
Camera App:
is the workplace ergonomics.
-
@Tsaukpaetra said in WTF Bites:
@Tsaukpaetra said in WTF Bites:
Camera App:
is the workplace ergonomics.I'm getting neck pain only from looking at the positions of keyboard and monitors.
-
@LaoC
I'm more worried why there is a chair facing the printer ... like is it someone's job just to watch if it spews paper?
-
@LaoC
I'm more worried why there is a chair facing the printer ... like is it someone's job just to watch if it spews paper?"Ozone Therapy" is a thing. Someone must have proposed it as a cure for pain in the neck.
-
@LaoC
I'm more worried why there is a chair facing the printer ... like is it someone's job just to watch if it spews paper?If that confuses you, wait until I share a picture of the printer itself!
-
@Tsaukpaetra said in WTF Bites:
@Tsaukpaetra said in WTF Bites:
Camera App:
is the workplace ergonomics.I'm getting neck pain only from looking at the positions of keyboard and monitors.
Ah, the visible units are not regular-usage stations. These are all build stations, you're not intended to be using input/output for more than a few minutes at a time (if that).
-
@LaoC
I'm more worried why there is a chair facing the printer ...Obviously that's for the guard with the loaded gun, ready to shoot it at the first suspicious noise. Basic office safety procedures, man!
-
@ixvedeusi said in WTF Bites:
@LaoCI'm more worried why there is a chair facing the printer ...
Obviously that's for the guard with the loaded gun, ready to shoot it at the first suspicious noise. Basic office safety procedures, man!
Proper procedures, man! Baseball bat.
-
-
@TimeBandit That is acceptable.
-
I am
today: when a coworker asked "how do I get X data (which is not easily available)", I assumed he wanted a one-off way to do it, and mentioned how to query an external reporting DB to get the IDs he wanted, which he could then use to query for the data he wanted.But no, he wanted to do this weird-ass reporting at any time, so he set up an API for it. Using my janky multi-DB hack. Thankfully, I was added to the PR, so at least I can shut this down before it goes to prod.
-
Status: When using the "official editor" is considered a warnable offense...
-
Warning Map has 0 NJS
Obviously, the
is that message should be, "Success Map has 0 New Jerseys."
-
@Tsaukpaetra There's not quite enough context here to make it a
:- Does the application automatically generate a map for a song? Using the editor may alter the characteristics of the map such that it's no longer comparable to the autogenerated one.
- Is the official editor known defective, for example failing to save NJS properly? If so, it makes sense to warn about its use and expect submitters to use an alternative, more comprehensive editor. This even makes sense when the site is first-party if the editor has been officially abandoned for a third-party one.
- It's unclear what this is for. StepMania (and DDR clones), Beat Saber, and Rhythm Sprout use "step chart". AudioSurf 1 and 2 also don't use "map". This isn't SimTunes because it's not 1990 anymore. I don't think it's MIDI or DAW stuff since they use "patches". For all we know, all of this is perfectly fine in its original domain.
-
@TwelveBaud said in WTF Bites:
Does the application automatically generate a map for a song?
Nope!
@TwelveBaud said in WTF Bites:
Is the official editor known defective, for example failing to save NJS properly?
It's more limited I suppose. Possibly missing quality-of-life things. Unfortunately, the source code is not available for what triggers this warning so I can't guess why the developer decided this is a problem.
@TwelveBaud said in WTF Bites:
It's unclear what this is for.
Is it really necessary? If I posted in Error'd a message box with the text "Error: Failed successfully" would that make it better?
I lost the song ID for where this came from, but here's another one that has just the one error:
-
WTF of my day(s)
- The built-in nodejs
httpandhttpslibraries DO NOT handle 302 redirects. At all. They simply treat it as an error and die. - Curl does not follow 302 redirects by default. And even if you turn on following them...it does the standards-non-compliant thing of turning POST into GET after a 302. Unless you add a separate option.
- OkHTTP (one of the big libraries for java/android) does follow 302s...and unconditionally converts POST to GET following a 302 or 301. A defect was raised, and then closed with "your server is faulty, it should send a 307 or 308. And we won't add an option to route around 'faulty servers'. You can write an interceptor to rewrite the response as if it was a 307/308 instead. GTFO."
WT(everliving)F? How is that ever expected to work? GET and POST are radically different things. I can't believe that, in this day of api-based communications, anyone could think that that was the right thing.
Standards document: https://tools.ietf.org/html/rfc2616#section-10.3.3
Note: RFC 1945 and RFC 2068 specify that the client is not allowed
to change the method on the redirected request. However, most
existing user agent implementations treat 302 as if it were a 303
response, performing a GET on the Location field-value regardless
of the original request method. The status codes 303 and 307 have
been added for servers that wish to make unambiguously clear which
kind of reaction is expected of the client.Why the heck should servers have to care? Especially since most 302s are coming from reverse proxies, DNS providers, and the like. It's not my application sending them--they're coming from upstream, from servers I don't have any control over. Servers that have exactly zero knowledge of what's downstream of them, and that's the way it should be.
- The built-in nodejs
-
@Benjamin-Hall said in WTF Bites:
OkHTTP (one of the big libraries for java/android) does follow 302s...and unconditionally converts POST to GET following a 302 or 301. A defect was raised, and then closed with "your server is faulty, it should send a 307 or 308. And we won't add an option to route around 'faulty servers'. You can write an interceptor to rewrite the response as if it was a 307/308 instead. GTFO."
I had no idea what the difference between these is, so I googled it.
So, 307 is the same as 302 but making it clear that the buggy implementations of 302 are explicitly not allowed. And the thing you quote above says they won't fix their buggy implementation because there's another response code for explicitly requesting the non-buggy one?
^ETA: Also https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/302
Even if the specification requires the method (and the body) not to be altered when the redirection is performed, not all user-agents conform here - you can still find this type of bugged software out there. It is therefore recommended to set the 302 code only as a response for GET or HEAD methods and to use 307 Temporary Redirect instead, as the method change is explicitly prohibited in that case.
-
@Benjamin-Hall said in WTF Bites:
OkHTTP (one of the big libraries for java/android) does follow 302s...and unconditionally converts POST to GET following a 302 or 301. A defect was raised, and then closed with "your server is faulty, it should send a 307 or 308. And we won't add an option to route around 'faulty servers'. You can write an interceptor to rewrite the response as if it was a 307/308 instead. GTFO."
I had no idea what the difference between these is, so I googled it.
So, 307 is the same as 302 but making it clear that the buggy implementations of 302 are explicitly not allowed. And the thing you quote above says they won't fix their buggy implementation because there's another response code for explicitly requesting the non-buggy one?
^Exactly. And their response was so smugly
it made me angry:I think we do have a mechanism to correct for faulty servers like this
val client = OkHttpClient.Builder()
.eventListenerFactory(LoggingEventListener.Factory())
.addNetworkInterceptor(object : Interceptor {
override fun intercept(chain: Chain): Response {
var response = chain.proceed(chain.request())if (response.code == 302) { response = response.newBuilder().code(307).build() } return response } }) .build()But we deliberately don't build in knobs and options that make it easy to workaround these issues. Hopefully you have raised an issue with the faulty server and are tracking the fix with them.
No, your implementation is faulty. Not the server.
-
: It looks like you're expecting sane behavior in something Web-related. Would you like me to laugh at you?
-
@Benjamin-Hall said in WTF Bites:
But we deliberately don't build in knobs and options that make it easy to workaround these issues
I mean, I can see that. The proposed fix is not what you want. Nobody said to change a 302 to a 307 as in that snippet, but just to handle the 302 correctly.
-
@Benjamin-Hall said in WTF Bites:
WT(everliving)F? How is that ever expected to work? GET and POST are radically different things. I can't believe that, in this day of api-based communications, anyone could think that that was the right thing.
The most common use for a “temporary” redirect is “I handled the request, now go there to see the results”. Say you have one script (cgi, php, jsp, asp…) that shows the current state of things. Now you want to do some operation on the state. A bunch of different ones. So you have more scripts that do those operations. But when that operation completes, what do you want to happen? Much of the time you want to show the, now modified, state again.
Duplicating the code is obviously bad practice. Or you could cross-call the scripts server-side, but then the user would be left with the URL of the action script rather than the one of the status page in the URL bar and that's not really right either. So you ‘temporarily redirect’ them back to the status. Which should, obviously, not be getting the post data again.
In contrast the cases where you do want to post the data to a different place, the redirect is usually ‘permanent’. That is, the user agent may forward any future requests too.
So back when only 301 permanent redirect and 302 temporary redirect existed, the vast majority of uses crystalized as above. So the user agent started implementing 302 as ‘see other’ (now 303), in violation of the formal spec, but in line with the majority usage.
So they defined the 303 for explicitly switching to get and 307 for explicitly repeating the request. And any new server should use those.
… writing this I remembered I recently saw a 302 in our project. It returns it from the basic auth login endpoint intended for automation (normal users use oauth2 code workflow). And yes, it does mean it in the 303 meaning including the fact you are not supposed to send the authentication again, because you now have a cookie instead. That's a new .net 7 web service.
-
@Benjamin-Hall said in WTF Bites:
WT(everliving)F? How is that ever expected to work? GET and POST are radically different things. I can't believe that, in this day of api-based communications, anyone could think that that was the right thing.
The most common use for a “temporary” redirect is “I handled the request, now go there to see the results”. Say you have one script (cgi, php, jsp, asp…) that shows the current state of things. Now you want to do some operation on the state. A bunch of different ones. So you have more scripts that do those operations. But when that operation completes, what do you want to happen? Much of the time you want to show the, now modified, state again.
Duplicating the code is obviously bad practice. Or you could cross-call the scripts server-side, but then the user would be left with the URL of the action script rather than the one of the status page in the URL bar and that's not really right either. So you ‘temporarily redirect’ them back to the status. Which should, obviously, not be getting the post data again.
In contrast the cases where you do want to post the data to a different place, the redirect is usually ‘permanent’. That is, the user agent may forward any future requests too.
So back when only 301 permanent redirect and 302 temporary redirect existed, the vast majority of uses crystalized as above. So the user agent started implementing 302 as ‘see other’ (now 303), in violation of the formal spec, but in line with the majority usage.
So they defined the 303 for explicitly switching to get and 307 for explicitly repeating the request. And any new server should use those.
… writing this I remembered I recently saw a 302 in our project. It returns it from the basic auth login endpoint intended for automation (normal users use oauth2 code workflow). And yes, it does mean it in the 303 meaning including the fact you are not supposed to send the authentication again, because you now have a cookie instead. That's a new .net 7 web service.
Except they don't do the right thing for 301s either. Both 301s and 302s end up swapping POSTs for GETs. Only 307/308 (which are reversed, a 307 -> 302 and 308 -> 301, for another layer of web-WTF) do the right thing all the time.
And that's not what the spec says--the spec says "on 301 or 302, user agents must not alter the request type." 307 and 308 were implemented as workarounds to get around the fact that there are many spec-non-conforming agents out there. But I have no way of triggering those--all the mechanisms I have send either 301s or 302s.
-
@Benjamin-Hall said in WTF Bites:
But I have no way of triggering those--all the mechanisms I have send either 301s or 302s.
. Way too common, unfortunately.
-
I don’t recall 301 or 302 in the wild ever adhering to that philosophy, that a redirect shouldn’t change the request type - it always struck me as sensible to respond to a POST with a 302 that became a GET because any other outcome tended to lead to users hitting refresh and submitting twice.
-
@topspin quoted MDB in WTF Bites:
Even if the specification requires the method (and the body) not to be altered when the redirection is performed, not all user-agents conform here - you can still find this type of bugged software out there. It is therefore recommended to set the 302 code only as a response for GET or HEAD methods and to use 307 Temporary Redirect instead, as the method change is explicitly prohibited in that case.
302 requires the method not be altered while 307 explicitly prohibits the change. The distinction seems perfectly clear to me
-
302 requires the method not be altered yet in practice no-one does this so it always ends up as a GET even if it was originally a POST while 307 explicitly prohibits the change and in practice this is actually respected.
