The Official Status Thread
-
@twelvebaud Our company controls both sides, but I wasn't there when it was being designed or coded, and it's fucking complicated as shit. It also had a bunch of concepts like an "audience" which I've never heard of before when using OAuth. I still don't know what the fuck an "audience" is.
OAuth is one of those things that like open source-y code-code-code-code-code guys really love, but everybody else at best tolerates. Much like Git and Markdown.
But it's shit. Utter shit. I can't even imagine how to make a less friendly system.
-
@blakeyrat It's the system the token is "good for". That way you can't ask an IdP for a token granting a subject access to one system and use it at another that coincidentally has the same scope names.
-
@twelvebaud said in The Official Status Thread:
It's the system the token is "good for".
And the word "audience" communicates that... how?
... also don't answer that, I don't give a fuck, the piece of shit works now I'm never touching it again.
-
@blakeyrat I'm all in favor of that, and'd send you some sort of alcoholic beverage if I could.
-
@twelvebaud What's stopping you? Give me all the booze.
-
@twelvebaud said in The Official Status Thread:
I forget, is UID/username mapping considered an information disclosure vulnerability
I wouldn't think so. UIDs aren't really private information.
-
@twelvebaud said in The Official Status Thread:
... huh
People are actually registering?Well I'll be damned...
-
-
@greybeard that's stupid. If it's complicated, fewer people will bother (meaning more insecure software), and a ton of people will screw up the implementation (meaning more insecure software).
What you're saying is more high priest of technology bullshit than valid software development advice.
-
@blakeyrat It’s a natural law. My rule of thumb is that anything crypto takes three times as long.
-
@blakeyrat said in The Official Status Thread:
And the word "audience" communicates that... how?
Not the best name for it. But the SAML specification uses the same terminology:
<saml:AudienceRestriction>
<saml:Audience>https://sp.example.com/SAML2</saml:Audience>
</saml:AudienceRestriction>
So I wonder whether one was following the other or whether there simply turned out not to be much in the way of a better name.
-
@blakeyrat said in The Official Status Thread:
and a ton of people will screw up the implementation
Rule 1 of security software is don't roll your own crypto.
If a developer doesn't understand rule 1, how many other mistakes are they going to immediately make?
-
@ben_lubar said in The Official Status Thread:
Rule 1 of security software is don't roll your own crypto.
Right; but if you make the pre-built crypto UTTERLY INSCRUTABLE, you're encouraging (whether you intended to or not) people to roll their own crypto.
Look, it's like the privacy nerd who sits around and whines that nobody uses PGP to encrypt their emails to him. Of course they don't, PGP is a fucking bitch to use. If it's not usable, people aren't going to use it.
-
@ben_lubar said in The Official Status Thread:
how many other mistakes are they going to immediately make?
How does "makes the GUID column a 255 widechar column in the database" sounds?
-
@tsaukpaetra said in The Official Status Thread:
@ben_lubar said in The Official Status Thread:
how many other mistakes are they going to immediately make?
How does "makes the GUID column a 255 widechar column in the database" sounds?
"and then accepts arbitrary string input for that GUID on the website and injects it directly into a SQL query"
-
@blakeyrat said in The Official Status Thread:
@ben_lubar said in The Official Status Thread:
Rule 1 of security software is don't roll your own crypto.
Right; but if you make the pre-built crypto UTTERLY INSCRUTABLE, you're encouraging (whether you intended to or not) people to roll their own crypto.
Look, it's like the privacy nerd who sits around and whines that nobody uses PGP to encrypt their emails to him. Of course they don't, PGP is a fucking bitch to use. If it's not usable, people aren't going to use it.
If that's too complicated for a programmer, they probably shouldn't be trying to tackle anything related to HTTP until they figure out some simpler stuff.
-
@ben_lubar Yeah the implementation I did was at least 4 times more complicated that your little contrived example.
-
@blakeyrat said in The Official Status Thread:
@ben_lubar Yeah the implementation I did was at least 4 times more complicated that your little contrived example.
Wow, TWELVE function calls?
-
-
@ben_lubar said in The Official Status Thread:
@blakeyrat said in The Official Status Thread:
@ben_lubar Yeah the implementation I did was at least 4 times more complicated that your little contrived example.
Wow, TWELVE function calls?
By the way, the OAuth2 spec has 3 requests in the outline:
So if your implementation of the protocol uses 12 function calls, I guess that means you're doing 2 auth calls and then 10 authorized requests?
-
@luhmann said in The Official Status Thread:
@tsaukpaetra said in The Official Status Thread:
glean my password...
It isn't hunter2 ?
Ben made that joke during the stream. Should I award a badge?
-
@tsaukpaetra
Th Huntsman badge for guessing the Password
-
@luhmann said in The Official Status Thread:
@tsaukpaetra
Th Huntsman badge for guessing the PasswordSure. If he's bored enough and I'm bored enough, that will definitely not be knelt with quickly.
-
@blakeyrat said in The Official Status Thread:
I can't even imagine how to make a less friendly system.
More OIDs. More bizarre undocumented back-channels.
-
@ben_lubar said in The Official Status Thread:
@tsaukpaetra said in The Official Status Thread:
@ben_lubar said in The Official Status Thread:
how many other mistakes are they going to immediately make?
How does "makes the GUID column a 255 widechar column in the database" sounds?
"and then accepts arbitrary string input for that GUID on the website and injects it directly into a SQL query"
"Don't worry! It's all checked by the client before it sends it over.”
-
@dkf said in The Official Status Thread:
@ben_lubar said in The Official Status Thread:
@tsaukpaetra said in The Official Status Thread:
@ben_lubar said in The Official Status Thread:
how many other mistakes are they going to immediately make?
How does "makes the GUID column a 255 widechar column in the database" sounds?
"and then accepts arbitrary string input for that GUID on the website and injects it directly into a SQL query"
"Don't worry! It's all checked by the client before it sends it over.”
I probably shouldn't mention the upload endpoint that merely requires a user token and the promise that whatever you gave it was indeed an image...
-
So I manage AT LONG LAST, to get a couple of hours off for lunch, AND, because I can't leave my desk unattended, I get the janitor in and have him sit in my chair. I tell him that all he has to do is make sure the receiver doesn't accidentally get put back on the hook. He agrees and I'm off.
First stop, the bank. I change a $50 note into coins and then ask to see a balance of my account. Then I yank the power lead out of the teller's vdu. It dies. I say I'm in a hurry and is the manager around?
He rolls over like a man-sized twinkie and asks what the problem is. I say that all I want is a balance of my accounts. I cross my fingers. YES! He finds the vdu lead out, plugs it in, and logs in, TO THE MANAGER'S ACCOUNT. Now's my chance - I slip up against the counter, slopping 200 coins across the counter. The manager ignores it, but all the tellers dive for the money. I watch, unobserved, as the manager types in his password at the breakneck speed of one character a minute. At that rate I should've got $100 worth.... He finishes typing. "MONEY". What a toughy! Well, that's my mortgage taken care of tonight...
-
@ben_lubar When stuff no workee, it takes forever to diagnose. Because you don’t get useful error messages such as “the credential supplied should have been ‘hunter2’”.
Then you have to deploy/provision all those dependencies into integration and production.
-
@greybeard said in The Official Status Thread:
@ben_lubar When stuff no workee, it takes forever to diagnose. Because you don’t get useful error messages such as “the credential supplied should have been ‘hunter2’”.
Then you have to deploy/provision all those dependencies into integration and production.
Remember when Wikipedia increased their password length requirement to 1 character for security reasons?
-
@ben_lubar wtf happen!!
-
-
@bb36e said in The Official Status Thread:
@ben_lubar wtf happen!!
I linked my discourse. Did you read the topic to get rid of it?
-
@bb36e looks like the bootswatch skin is applying its own styles to the nav bar.
-
@ben_lubar said in The Official Status Thread:
@bb36e looks like the bootswatch skin is applying its own styles to the nav bar.
*sugh* one day themes will work right...
-
-
-
@tsaukpaetra said in The Official Status Thread:
@bb36e said in The Official Status Thread:
Pulling requests are accepted?
Status: dammit I refreshed!
Edit: cut over to herelink text
-
Status: thanks, I guess...
-
After about 3 years of trying, I am finally managing to be consistently productive for 8 hours a day!
-
@anonymous234 said in The Official Status Thread:
After about 3 years of trying, I am finally managing to be consistently productive for 8 hours a day!
That's quite a feat....
-
Status: Back on the desktop. Apparently the weird theme breakage isn't happening there.
On the pinch of @Ben-L , it might be due to Unresponsive Plugin, but trying to connect to my phone so I can apply the fix:Yeah, way helpful, Chrome..
-
Status: I borked something...
2018-02-05T03:06:25.310Z [11569] - error: [build] client js bundle build failed 2018-02-05T03:06:25.311Z [11569] - error: [build] Encountered error during build step SyntaxError: Unexpected token: num (1) at JS_Parse_Error.get (eval at <anonymous> (/root/nodebb/node_modules/uglify-js/tools/node.js:21:1), <anonymous>:75:23) at Object.exports.log (/root/nodebb/node_modules/winston/lib/winston/common.js:241:18) at Console.log (/root/nodebb/node_modules/winston/lib/winston/transports/console.js:99:19) at transportLog (/root/nodebb/node_modules/winston/lib/winston/logger.js:234:15) at /root/nodebb/node_modules/winston/node_modules/async/lib/async.js:157:13 at _each (/root/nodebb/node_modules/winston/node_modules/async/lib/async.js:57:9) at Object.async.each (/root/nodebb/node_modules/winston/node_modules/async/lib/async.js:156:9) at Logger.log (/root/nodebb/node_modules/winston/lib/winston/logger.js:246:9) at Object.winston.(anonymous function) [as log] (/root/nodebb/node_modules/winston/lib/winston.js:86:34) at Object.target.(anonymous function) [as error] (/root/nodebb/node_modules/winston/lib/winston/common.js:54:18) Error occurred during upgrade /root/nodebb/src/cli/upgrade.js:69 throw err; ^ SyntaxError: Unexpected token: num (1) at JS_Parse_Error.get (eval at <anonymous> (/root/nodebb/node_modules/uglify-js/tools/node.js:21:1), <anonymous>:75:23) root@nodebb-sfo2-01:~/nodebb#
Edit: Found it. It was the plugin "nodebb-plugin-html5videoplayer".
Off to submit a bug report I guess...
-
@tsaukpaetra NodeBB is just one giant bork.
-
@pie_flavor said in The Official Status Thread:
@tsaukpaetra NodeBB is just one giant bork.
Oh? Let me randomly install thirty plugins on the discourse and see how it likes it.
-
@tsaukpaetra Discurse is one giant bork with or without plug-ins.
-
@hardwaregeek said in The Official Status Thread:
@tsaukpaetra Discurse is one giant bork with or without plug-ins.
Heh.
-
@tsaukpaetra said in The Official Status Thread:
I borked something...
2018-02-05T04:12:50.976Z [12843] - error: [build] client side styles build failed 2018-02-05T04:12:50.977Z [12843] - error: [build] Encountered error during build step type=Name, filename=/root/nodebb/node_modules/nodebb-plugin-composer-default/static/less/composer.less, index=5194, line=354, callLine=NaN, callExtract=undefined, column=19, extract=[, @media (max-width: @screen-sm-max) {, html.composing {], message=variable @screen-sm-max is undefined, stack=undefined
Somehow composer is broken? :/
Wack...
-
@tsaukpaetra You've only just noticed that the composer is broken?
-
@pie_flavor said in The Official Status Thread:
@tsaukpaetra You've only just noticed that the composer is broken?
Apparently a theme didn't contain some attribute or another and so failed to compile.
-
@deadfast said in The Official Status Thread:
I just updated a bunch of things including the kernel on my NUC. It took about two minutes and zero restarts. Meanwhile my gaming PC has been updating for the past half hour, restarted at least three times, creeped me out with a massive "Hi!" and reset my keyboard layout. Tell me again which is the more user-friendly system?
Status: Just installed a couple of updates for Windows. Neither required a restart.