WTF Bites
-
@boomzilla
Just think how much more fun the would be if we were still infected with Discobrainworms!
-
Sure, tell me all about The Division 2 on my work laptop. I'm assuming "Legion Game Store" is some Lenovo thing, and that I didn't accidentally install some sketchy game store while doing a Kubernetes tutorial.
-
I’m deleting any “me too” posts. If you’re not adding any new information, please use the voting feature at the top of this thread instead.
-
@loopback0 said in WTF Bites:
I’m deleting any “me too” posts. If you’re not adding any new information, please use the voting feature at the top of this thread instead.
Admittedly, those "me too"s are annoying when you've got problems to fix.
For full Jeffness we would need a report of deleted, inconvenient bug reports.
-
Spotify sent me an email: we detected unusual activity on your account. We won't say what it was, so fuck you if you thought you might be able to determine if your password got compromised. It just was unusual. Trust us. We're trustworthy, right? Anyway, so we reset your password. I mean, we did reset your password, but here is a huge green button that you can click to reset your password. Cause you know that resetting means resetting means invalidating, right? Yeah. Words don't have meaning, just ask @Gąska. Ah, right, so back to your password. Did you click the link? And? What? You're bewildered cause the link is no longer valid? Hey, we said we reset your password so you could reset your password, no one said that you could actually reset your password. Anyway, here, just input your email and we'll send you a new link that will reset your password for sure.
We hope you had fun with our completely unambiguous security procedures. Hope you'll use our service again and recommend it to your friends.
-
-
Words don't have meaning, just ask @Gąska.
What?
You always
argue againstrant about new definitions of words.
-
Words don't have meaning, just ask @Gąska.
What?
You always argue against new definitions of words.
Yeah, but that's kinda the opposite of what they've done.
-
Words don't have meaning, just ask @Gąska.
What?
You always argue against new definitions of words.
Yeah, but that's kinda the opposite of what they've done.
Yeah. Exactly.
-
Error message (anonymized): Error! Value 0x123 looks not equal to value -1. Setting to 0x456.
Looks not equal? You don't say!
-
Spotify sent me an email: we detected unusual activity on your account. We won't say what it was, so fuck you if you thought you might be able to determine if your password got compromised. It just was unusual. Trust us. We're trustworthy, right? Anyway, so we reset your password. I mean, we did reset your password, but here is a huge green button that you can click to reset your password. Cause you know that resetting means resetting means invalidating, right? Yeah. Words don't have meaning, just ask @Gąska. Ah, right, so back to your password. Did you click the link? And? What? You're bewildered cause the link is no longer valid? Hey, we said we reset your password so you could reset your password, no one said that you could actually reset your password. Anyway, here, just input your email and we'll send you a new link that will reset your password for sure.
We hope you had fun with our completely unambiguous security procedures. Hope you'll use our service again and recommend it to your friends.
I think I know why this happened. At work I need to log in to a Swedish VPN to access client's test envs. So my guess is, they detected I logged in from Sweden, then from Poland. SUSPICIOUS!
-
Spotify sent me an email: we detected unusual activity on your account. We won't say what it was, so fuck you if you thought you might be able to determine if your password got compromised. It just was unusual. Trust us. We're trustworthy, right? Anyway, so we reset your password. I mean, we did reset your password, but here is a huge green button that you can click to reset your password. Cause you know that resetting means resetting means invalidating, right? Yeah. Words don't have meaning, just ask @Gąska. Ah, right, so back to your password. Did you click the link? And? What? You're bewildered cause the link is no longer valid? Hey, we said we reset your password so you could reset your password, no one said that you could actually reset your password. Anyway, here, just input your email and we'll send you a new link that will reset your password for sure.
We hope you had fun with our completely unambiguous security procedures. Hope you'll use our service again and recommend it to your friends.
I think I know why this happened. At work I need to log in to a Swedish VPN to access client's test envs. So my guess is, they detected I logged in from Sweden, then from Poland. SUSPICIOUS!
And I've had some actual suspicious activity on my spotify account, some turdmuncher has used it to listen to rap and hiphop, which is in rather stark contrast to my usual various forms of metal, with death being the most common.
I've logged in to find someone playing that shit live a couple of times. Since the password and login are specific to Spotify, I don't give much of a fuck about it, and it gave me the opportunity to have some gansta wannabe play blümchen to his mates. Or other quiestionable material, like that whatwhat song...
Now, I did change password after he started playing that mongoloid shit while I was at work and listening to Arch Enemy.So, rant aside, Spotify does have a shit "Suspicious activity" detection.
-
Spotify sent me an email: we detected unusual activity on your account. We won't say what it was, so fuck you if you thought you might be able to determine if your password got compromised. It just was unusual. Trust us. We're trustworthy, right? Anyway, so we reset your password. I mean, we did reset your password, but here is a huge green button that you can click to reset your password. Cause you know that resetting means resetting means invalidating, right? Yeah. Words don't have meaning, just ask @Gąska. Ah, right, so back to your password. Did you click the link? And? What? You're bewildered cause the link is no longer valid? Hey, we said we reset your password so you could reset your password, no one said that you could actually reset your password. Anyway, here, just input your email and we'll send you a new link that will reset your password for sure.
We hope you had fun with our completely unambiguous security procedures. Hope you'll use our service again and recommend it to your friends.
I think I know why this happened. At work I need to log in to a Swedish VPN to access client's test envs. So my guess is, they detected I logged in from Sweden, then from Poland. SUSPICIOUS!
And I've had some actual suspicious activity on my spotify account, some turdmuncher has used it to listen to rap and hiphop, which is in rather stark contrast to my usual various forms of metal, with death being the most common.
I've logged in to find someone playing that shit live a couple of times. Since the password and login are specific to Spotify, I don't give much of a fuck about it, and it gave me the opportunity to have some gansta wannabe play blümchen to his mates. Or other quiestionable material, like that whatwhat song...
Now, I did change password after he started playing that mongoloid shit while I was at work and listening to Arch Enemy.So, rant aside, Spotify does have a shit "Suspicious activity" detection.
"We've noticed some suspicious activity on your account. You've started listening to helluva lot of metal. It seems you are going through a depression and experience serious self-esteem issues. Please contact your psychiatrist. If you don't have one, here's a link to Swedish Psychiatry Association, they'll hook you up."
-
It seems you are going through a depression and experience serious self-esteem issues. Please contact your psychiatrist. If you don't have one, here's a link to
Swedish Psychiatry Associationjava.com, they'll hook you up.FTFY
-
It seems you are going through a depression and experience serious self-esteem issues. Please contact your psychiatrist. If you don't have one, here's a link to
Swedish Psychiatry Associationjava.com, they'll hook you up.FTFY
The
EvilCounterproductive Ideas thread is .
-
ProcessStartInfo.ArgumentList
parameter.Which is literally a plain old read-only list you can pass to the
Process
. Like there's no special difficulty here, the values are passed once by the user and read once by the library and that's it, there's no state that changes and you have to read back or anything. Just make it accept any IEnumerable<string> as is standard in every other function.What did they end up implementing? A System.Collections.ObjectModel.Collection with no setter. You have to get the collection, then Add() the parameters.
-
@anonymous234 said in WTF Bites:
What did they end up implementing? A System.Collections.ObjectModel.Collection with no setter. You have to get the collection, then Add() the parameters.
Java guy here. Isn't
Add()
how you...erm...add things to collections?
-
@boomzilla Yes, but the problem (to me at least) is that if you have a collection of args already, you have to add them one by one instead of just setting the object's collection property to the collection you've already got, or initializing it with your collection.
-
Issuing digital certificates is hard work. Issuing correct digital certificates is just a bit harder.
The snafu is the result of the companies' misconfiguration of the open source EJBCA software package that many browser-trusted authorities use to generate certificates that secure websites, encrypt email, and digitally sign code. By default, EJBCA generated certificates with 64-bit serial numbers, in keeping, it seemed, with an industry mandate that serial numbers contain 64 bits of output from a secure pseudo-random number generator. Upon further scrutiny, engineers discovered that one of the 64 bits must be a fixed value to ensure the serial number is a positive integer. As a result, the EJBCA default produced a serial number with 63 bits of entropy.
The 63 bits is far off the mark of the required 64 bits and, as such, poses a theoretically unacceptable risk to the entire ecosystem. (Practically speaking, there’s almost no chance of the certificates being maliciously exploited. More about that later.) Adam Caudill, the security researcher who blogged about the mass misissuance last weekend, pointed out that it’s easy to think that a difference of 1 single bit would be largely inconsequential when considering numbers this big. In fact, he said, the difference between 263 and 264 is more than 9 quintillion.
Filed under: the off-by-one thread is
-
the difference between 263 and 264 is more than 9 quintillion
I know what's going on, of course, but it still looks nutty in isolation.
-
@dkf Oops, sorted. That's what I get for not proofreading.
-
@boomzilla Yes, but the problem (to me at least) is that if you have a collection of args already, you have to add them one by one instead of just setting the object's collection property to the collection you've already got, or initializing it with your collection.
Ah, so no
addAll()
method to go along withadd()
?
-
@boomzilla Yes, but usually you just pass your collection to the other guy. You don't borrow their collection and add stuff to it. At least in simple cases.
-
The 63 bits is far off the mark of the required 64 bits and, as such, poses a theoretically unacceptable risk to the entire ecosystem.
theoretically unacceptable
-
Upon further scrutiny, engineers discovered that one of the 64 bits must be a fixed value to ensure the serial number is a positive integer.
I mean, they could just treat the 64 bit value as an unsigned integer, but what do I know?
-
@anonymous234 said in WTF Bites:
@boomzilla Yes, but usually you just pass your collection to the other guy. You don't borrow their collection and add stuff to it. At least in simple cases.
Meh. I've done stuff like that. It avoids shenanigans like setting it to null.
-
Upon further scrutiny, engineers discovered that one of the 64 bits must be a fixed value to ensure the serial number is a positive integer.
I mean, they could just treat the 64 bit value as an unsigned integer, but what do I know?
It's not an option in e.g. Java.
-
-
@boomzilla said in WTF Bites:
Ah, so no
addAll()
method to go along withadd()
?.Net uses the superior, super-intuitive naming
.AddRange(IEnumerable<T>)
.
No, it does not take optional indices if you're wondering. It appends the whole collection.Wait, it's a Collection, not a List? Never mind then. There's no method. You'd have to use the constructor.
Disclaimer: I don't know .Net all that well.
-
No, it does not take optional indices if you're wondering. It appends the whole collection.
That's because you're supposed to call
Skip()
andTake()
on your enumerable. Why make every container have six different overloads of every method when you have LINQ?
-
No, it does not take optional indices if you're wondering. It appends the whole collection.
That's because you're supposed to call
Skip()
andTake()
on your enumerable. Why make every container have six different overloads of every method when you have LINQ?But then why call it
AddRange()
?
-
@PleegWat naming is hard, okay? Add range. Range, as in a sequence of elements. To make it the most flexible and integrate well with the rest of the ecosystem, they made the argument IEnumerable, which itself is pretty bad name but it's too late to change now.
-
This post is deleted!
-
Upon further scrutiny, engineers discovered that one of the 64 bits must be a fixed value to ensure the serial number is a positive integer.
I mean, they could just treat the 64 bit value as an unsigned integer, but what do I know?
It's not an option in e.g. Java.
Sure it is. Use
BigInteger
.
-
@boomzilla goodbye performance.
-
No, it does not take optional indices if you're wondering. It appends the whole collection.
That's because you're supposed to call
Skip()
andTake()
on your enumerable. Why make every container have six different overloads of every method when you have LINQ?But then why call it
AddRange()
?I suspect it's for cromulency with InsertRange(), GetRange(), RemoveRange(), ... but it does sound weird.
I also would have preferred if Select was named Map.
-
@boomzilla I also have no idea what
System.Collections.ObjectModel
is. The usual collections are inSystem.Collections.Generic
.The description says
The System.Collections.ObjectModel namespace contains classes that can be used as collections in the object model of a reusable library. Use these classes when properties or methods return collections"
Maybe I'm stupid, but I don't understand it at all.
Then again, the "Process" class is in "System.Diagnostics", and it has nothing to do with "diagnostics".
-
@boomzilla goodbye performance.
By using Java, you already said goodbye to that
-
@TimeBandit yeah, but going knee deep in shit is still preferable to submerging entirely.
-
@boomzilla goodbye performance.
Of what, though? Is there really a performance issue that any sane person would care about?
-
@Gąska I haven't looked into the algorithm, but if the goal is to just shove some sufficiently random 64 bits into an algorithm, byte[] initiated sufficiently randomly should be ok.
-
@boomzilla in cryptography? Absolutely.
And I'm not talking about minor differences of 300% or 800%. I'm talking about 3 orders of magnitude, at the very least - because that's the cost of moving from "fits in CPU register and can be easily inlined" to "it's at least 128 bits long and probably involves heap memory access".
-
@boomzilla in cryptography? Absolutely.
And I'm not talking about minor differences of 300% or 800%. I'm talking about 3 orders of magnitude, at the very least - because that's the cost of moving from "fits in CPU register and can be easily inlined" to "it's at least 128 bits long and probably involves heap memory access".
Well, whatever. There's java encryption stuff that seems to have figured it out, just maybe not by treating the problem as a 64bit unsigned integer.
-
in cryptography? Absolutely.
Not as much as you might think, as the big numbers are only really used during the calculation and validation of the session key, and not during the bulk of the encryption or decryption (which usually uses a fast symmetric cypher). Most of the subtle complexity of a crypto library comes from either the arbitrary precision math library it uses, or from the random number source. Or in the configuration code, or in the algorithm selection.
Fuck it. Crypto's complicated, but well-implemented basic bignum support helps a lot.
-
Fuck it. Crypto's complicated, but well-implemented basic bignum support helps a lot.
Yeah, I assumed (because we only got a vague assertion about "performance") we were talking about managing the certs or whatever. Or maybe generating them. Since those were the s from TFA as I understood it.
-
Fuck it. Crypto's complicated, but well-implemented basic bignum support helps a lot.
And from what I've managed to google up in 5 seconds, Java's bignum isn't well implemented. And anyway, this one missing bit of entropy is even more insignificant than all those performance gains/losses.
-
@dkf also. Is arbitrary precision really used that often in crypto? I thought all calculations are mod key size or something.
-
Is arbitrary precision really used that often in crypto? I thought all calculations are mod key size or something.
The key sizes are often much larger than 64 bits when dealing with public key crypto.
-
@dkf that still sound more like "mod (much larger than 64 bits)" than "arbitrary precision".
-
@dkf that still sound more like "mod (much larger than 64 bits)" than "arbitrary precision".
But "much larger than 64 bits" isn't something that will be handled natively by the chip, so either you have to use some arbitrary precision logic or you get rid of integers altogether and deal with the data at the byte level or something.
I would guess. I'm not a crypto guy.