Our security auditor is an idiot. How do I give him the information he wants? (Server Fault)
-
@masonwheeler said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
...in which time zone?
I'd guess all of them.
-
@Groaner said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
@Tsaukpaetra said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
@Groaner said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
No, the requirement that you stay under 16ms per frame, in the example of a game server.
Again, LOGGING IN EVERY 16 MS IS
Having 3600 people log in during an hour would be sufficient to meet this condition. That's about two orders of magnitude smaller than what Steam handles between, say, 2AM and 4AM.
And does Steam gate all of its logins through a single server?
Edit: Besides, that's logged-in sessions, not unique new login requests. Totally different!
-
Hey, does anyone know what happened after this unnamed organization was inspected? I think the OP didn't provide an update for that. Was it maybe updated in another place?
-
@Tsaukpaetra said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
And does Steam gate all of its logins through a single server?
Who knows?
Edit: Besides, that's logged-in sessions, not unique new login requests. Totally different!
Yeah, we're interested in the first derivative of that graph. Between 2 and 4AM, I see a rise around 500k.
-
@Groaner said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
the first derivative
Now you're talking higher Maths... It was bad enough when you were converting periods to frequency, now calculus?!
@Groaner said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
I see a rise around 500k.
Again, fairly suppository unless we know how many servers are actually processing login requests. It's not so impressive if it actually took five seconds to do the login (after Steam Guard, natch) and there were a hundred or so servers distributing the load.
-
@Arantor said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
@Lorne-Kates is that because FF22 couldn't do it in JavaScript for you?
FF22 js works fine.
NoScript blocks the js.
Get your tech straight, whippersnapper.
-
@Tsaukpaetra said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
@Groaner said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
the first derivative
Now you're talking higher Maths... It was bad enough when you were converting events over periods to average frequency, now calculus?!
FTFY
@Groaner said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
I see a rise around 500k.
Again, fairly suppository unless we know how many servers are actually processing login requests. It's not so impressive if it actually took five seconds to do the login (after Steam Guard, natch) and there were a hundred or so servers distributing the load.
I agree. Which only goes to show that you shouldn't take five seconds to process a single login unless you have hundreds of servers!
-
@Groaner login.cdn.discourse.org ?
-
@Arantor said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
@Groaner login.cdn.discourse.org ?
Fastly error: unknown domain: login.cdn.discourse.org. Please check that this domain has been added to a service.
I'm betting that's processing a ton of logins right now!
-
@Groaner and only 24.7% of the load is actually computation of hashes, the rest is Docker+Ruby+Mongo+Postgres+Redis+whatever is hip this week.
-
@Arantor said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
@Groaner and only 24.7% of the load is actually computation of hashes, the rest is Docker+Ruby+Mongo+Postgres+Redis+whatever is hip this week.
Even so, that's still a pretty large share of the load. But what's more horrifying is the rest of the stack.
-
@Groaner they're running it on a quad core machine, and Hyperthreading is - you don't need virtual cores when you have real ones!
I don't know if Discourse uses MongoDB on top of Docker/Ruby/Postgres/Redis, but maybe they should look into it, maybe it'd help their performance issues.
-
@Tsaukpaetra said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
fairly suppository unless we know how many servers are actually processing
-
@Tsaukpaetra said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
@Groaner said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
I see a rise around 500k.
Again, fairly suppository
I thought the general practice was to pull such numbers out of one's ass, not stick them in.
-
@HardwareGeek How else does one pull numbers from their ass without inserting them first? It's kind of like a Yahtzee cup!
-
@Arantor said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
@Groaner they're running it on a quad core machine, and Hyperthreading is - you don't need virtual cores when you have real ones!
It's amuses me that some older applications think this rig has 12 CPUs.
I don't know if Discourse uses MongoDB on top of Docker/Ruby/Postgres/Redis, but maybe they should look into it, maybe it'd help their performance issues.
Failing that, it'd put them in a better position of winning Stack Bingo.
-
@Groaner said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
It's amuses me that some older applications think this rig has 12 CPUs.
Maybe, until you realize that that's how the OS is reporting it to the legacy API.
-
@cark said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
The more I read about the idea of doing the salting/hashing on the client side, the more I like it.
As in, scoring hash marks into the skin of the offending client and then rubbing salt into the cuts?
-
@Groaner said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
@Tsaukpaetra said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
@Groaner said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
at odds with other requirements
Such as only needing to do it once per user for a session?
No, the requirement that you stay under 16ms per frame, in the example of a game server.
Granted, you could move the login processing to a worker thread that calls back with a login result... until the queue piles up. Then, you might consider having a dedicated login server, but I'd hope one wouldn't need that until around 107 users.
Your average lowend commodity VPS can handle millions of MD5 digest calculations per second. There's a huge range of encryption from there to the repeated hash/salt cycle strategies that take 50ms each.
-
@pydsigner said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
There's a huge range of encryption from there to the repeated hash/salt cycle strategies that take 50ms each.
For example, one test I did with pbkdf2_sha512 was doing a 1000 cycle salt/hash crypt in ~6ms. Yes, that's thousands fewer attempts per second, but the return is exponential.
-
@Groaner said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
Granted, you could move the login processing to a worker thread that calls back with a login result... until the queue piles up. Then, you might consider having a dedicated login server, but I'd hope one wouldn't need that until around 107 users.
Proud to announce:
-
@boomzilla said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
107
When is NodeBB going to get away from having all the same bugs as Discourse?
-
@Tsaukpaetra said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
@Groaner said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
@Tsaukpaetra said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
@Groaner said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
No, the requirement that you stay under 16ms per frame, in the example of a game server.
Again, LOGGING IN EVERY 16 MS IS
Having 3600 people log in during an hour would be sufficient to meet this condition. That's about two orders of magnitude smaller than what Steam handles between, say, 2AM and 4AM.
And does Steam gate all of its logins through a single server?
Edit: Besides, that's logged-in sessions, not unique new login requests. Totally different!
More importantly, does Steam's login process have to run within one frame?
No, because that'd be stupid.
-
@pydsigner they're not bugs, they're features of next generation forum software designed for the next 8-ish years.
Because all that pagination nonsense and non-jelly-potato forum experience is so toxic.
I should know, I used to be a dev on said toxic hellstew forum software and I can truly see what Discourse means by its plans for the next generation of forum software.
-
@Arantor said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
I can truly see what Discourse means by its plans for the next generation of forum software.
In this case I would suggest getting some (new) glasses.
Not even @end knows where it is heading...Filed Under: alternatively, I could suggest a carrier in being a psychic!
-
I knew I read this before!
https://what.thedailywtf.com/topic/8164/as-seen-on-serverfault-com
-
@pydsigner said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
When is NodeBB going to get away from having all the same bugs as Discourse?
Lol
-
@Kuro said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
Filed Under: alternatively, I could suggest a carrier in being a psychic!
Carrier: One who is infected with a contagious disease and infects others without necessarily exhibiting any symptoms.
Well, Discourse is a disease.
-
In this case, it's less 'server fault' and more 'face fault'.
-
@Tsaukpaetra said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
Are all thousands of (legitimate) users constantly logging in every second? because there would be a nice TRWTF there if I ever saw one...
I've hit those sorts of levels with sites doing session-less API access. There are ways to accelerate them.
-
@dkf said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
sites doing session-less API access. There are ways to accelerate them.
Do any of those ways not involve keeping some amount of per-client state server-side, which pretty much amounts to Sessions Lite?
-
@flabdablet said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
Do any of those ways not involve keeping some amount of per-client state server-side, which pretty much amounts to Sessions Lite?
Yes. They were also evil as hell.
-
@boomzilla said in Our security auditor is an idiot. How do I give him the information he wants? (Server Fault):
Proud to announce:
I think there's something wrong with your link...