:wtf: How can this be so wrong??? (AKA the Discopocalypse thread)
-
Awwww. So they still do read this forum?
-
That's why Sinterklaas is better. He sends his minions down.
Slavery is better?
-
Awh, the DiscoDevs are deliberately breaking the MD5-thingamagic because we use it to have fun (and bypass word filters)? That's no fun :(
Also: why is this tagged as "SECURITY"? There was no security risk involved with the MD5-hashing, right?
Also 2: given that @sam and @end have perma-banned themselves from here, shouldn't they be IP-banned too?
-
Does this mean the
***\****
or however that thing worked doesn't work anymore either?
-
Awwww. So they still do read this forum?
Why wouldn't they? Who else is going to do QA?
Also 2: given that @sam and @end have perma-banned themselves from here, shouldn't they be IP-banned too?
I believe I suggested that. Not sure why we don't IP-ban any IP associated with them.
Or at least move this thread to the Lounge so they stop getting more free bug reports from us.
-
GREAT SUCCESS
-
Does this mean the
***\****
or however that thing worked doesn't work anymore either?The MD5-tomfoolery will stop working once the Discourse instance gets upgraded to the latest and greatest *cough* version. The DiscoDevs switched to GUIDs as temporary placeholders.
The whole parser-that-replaces-text thing still is batshit crazy though.
-
I do wonder why they used text replacement and not proper tokenization.
-
I do wonder why they used text replacement and not proper tokenization.
Incompetence? Seriously, could there possibly be any other reason?
-
Laziness? I don't have a proper uni cs education, but this is basic stuff.
-
Incompetence? Seriously, could there possibly be any other reason?
I was gonna go with "because they're retards", but it amounts to the same thing.
-
The DiscoDevs switched to GUIDs as temporary placeholders.
So now it's secure because it's obscure, amiright?
-
Slavery? There black from going down the chimney!
-
It does precisely nothing to enhance security. It does show that the DiscoDevs are still focused on enforcing 'civilised discourse' rather than, say, work on the quality of their product.
Filed under: 502 OK
-
It does precisely nothing to enhance security.
It reduces the "hash bomb" to one level, no? You can still write lots of text, get a GUID for that and reference it multiple times, but you can't easily repeat that for the GUID. Haven't tried it though. Can anyone make a Discourse instance with that patch in?
-
You can still write lots of text, get a
GUIDhash for that and reference it multiple times, but you can'teasilyrepeat that for the GUID.
FTFY; the GUID isn't generated based on any part of the post content.
-
FTFY
No. There is no hash anymore.the GUID isn't generated based on any part of the post content.
I didn't say it was.
-
-
There is no hash
There is on this plate:
https://upload.wikimedia.org/wikipedia/commons/1/15/Corned_beef_hash_at_the_Creamery_(Nina's_breakfast).jpg
-
E_WOODEN_TABLE_FAIL
<fail I tell you!
-
It reduces the "hash bomb" to one level, no? You can still write lots of text, get a GUID for that and reference it multiple times, but you can't easily repeat that for the GUID.
As far as I understand the changed JS files, the GUID is generated randomly each time a code block is encountered. Hence, you can't re-use it.
-
As far as I understand the changed JS files, the GUID is generated randomly each time a code block is encountered. Hence, you can't re-use it.
So why do you say they did nothing to enhance security? Sounds to me like they plugged the hole.
-
I really CBA to go poring through their awful JS trying to work out what the fuck they're doing, but surely replacing the MD5 (which is directly tied to the text) by a GUID (which is not) requires some sort of storage to link one to the other. Otherwise it's just a random number apropos of nothing, no?
And I can't see any way that using a GUID instead of an MD5 somehow makes it any less possible to reuse that GUID multiple times in the same post.
Or how, in fact, this band-aid over a retarded design decision is in any way "better".
But then I could never really grok how the fuck they thought the original MD5 thing was good idea, either.
-
I think the 'SECURITY' tag is incorrect, it's not like this 'feature' allowed people to steal cookies. All we could do is mention @LB_.
@tufty: they used the MD5 hash to store the original text in an array, and replace the block with the hash. They do this to prevent their Markdown parser from falling flat on its face when it encounters a code block. After Markdown parsing the original text is put back in. They have now swapped that md5 hash with a random GUID.
-
And I can't see any way that using a GUID instead of an MD5 somehow makes it any less possible to reuse that GUID multiple times in the same post.
I'll pay you $1,000,000,000 if you can successfully predict the GUID that will be generated for a particular post.
Of course, my money is safe because predicting the generated GUID is practically impossible
-
Ah, right, client side only and generated every time they parse. Every time their parser encounters a
code
block.I wonder what happens, client side, if a post were to feature an excessive number of code blocks. If, for example, it consisted only of
c``o``d``e
tokens surrounding individual nonprinting glyphs.
-
Of course, my money is safe because predicting the generated GUID is practically impossible
It's the DiscoDevs... do you think they follow a standard secure procedure to produce their GUIDs? It's probably only secure because there can be no bots on Discourse.
Filed Under: you might want to retract your bet, just to be on the save side
-
Of course, my money is safe because predicting
the generated GUIDDiscourse behaviour in any given case is practically impossible
FTFY
-
They use an algorithm that's actually more secure than the one we use in SockBot:
Ours is prone to collisions; there's isn't (according to the answer on StackOverflow anyway).
-
I wonder what happens, client side, if a post were to feature an excessive number of code blocks.
I suspect you'll hit a post size limit at some point long before duplicating a GUID becomes an issue.
-
Until decides that the GUIDs aren't civilized enough.
: "guys, our GUIDs aren't looking nice enough!
:everybody: : "Nobody should ever see the GUIDs, why do you even care?
No, they need to be visible now and I want them ingreenblueyellow and all the GUIDs need to be "Discourse"
:everybody: : WTF
: bans everybodyK: every GUID is "Discourse"
Hedgehog: Damn, here are your $1,000,000,000. How foolish of me to have ever made that claim!
there's
At least put a hidden into your post for such bait!
-
@RaceProUK said:
there's
At least put a hidden into your post for such bait!
That was completely accidental
-
That was completely accidental
So are the GUIDs Discourse is using, I assume
Filed Under: is @accalia rubbing (off on) you?
-
-
I suspect you'll hit a post size limit at some point long before duplicating a GUID becomes an issue.
I was thinking more in performance terms.
-
Now that I give it another thought, this change does fix one hole: the one that allows you to go over the maximum post length, and potentially DoS the client.
-
Ours is prone to collisions
well... yes, it's still pretty damn rare, given that (depending on how you measure) our GUIDs have between 100 and 128 bits of entropy
:simple_smile:
they do the job. ;-)
-
Now that I give it another thought, this change does fix one hole: the one that allows you to go over the maximum post length, and potentially DoS the client.
That's the only hole we have been talking about regarding this whole MD5 shit, isn't it?
-
NOTE: This is not currently deployed. We're currently testing this during certain business hours and reverting it outside of them.
Set up a test instance? Nah, just fuck around with our only support method, why not, dogfooding rules.
Pending:
- Scrolling up is not working
- can't click the avatar of who closed a post
-
You guys are always awesome at helping with this kind of thing.
Except if you're from TDWTF, then you get banned.
-
I was thinking more in performance terms.
You're as TCDCK don't ever seem to think in performance terms!
(Interpretive Dance is specifically excluded.)
-
Of course, my money is safe because predicting the generated GUID is practically impossible
Need I remind you who is generating these guids? Would you really be shocked to see the guid: 00000-00-000001?
-
Having seen the code they're using, actually yes, I would
They basically copied it from SO
-
You have activated my trap card!
Remembrance of the Past allows me to play Infinite Regression from my graveyard, sealing your doom!
-
TCDCK don't ever seem to think in performance terms
They do SO. You want perfromance, you'd better think about getting a bigger machine.
-
-
Need I remind you who is generating these guids?
/me is waiting for the time when they decide they need a "GUID CDN"
-
It's the DiscoDevs... do you think they follow a standard secure procedure to produce their GUIDs?
SELECT MAX(id)+1 AS guid FROM guids
-
-
Actually, yes; they pasted the URL in a comment