WTF Bites



  • @ben_lubar said in WTF Bites:

    @ben_lubar Apparently nobody's ever reported any problem with vctip to Microsoft before?

    They did, but then MS reorganized the site and they were lost forever.


  • Winner of the 2016 Presidential Election

    @Bulb said in WTF Bites:

    @Dreikin said in WTF Bites:

    Eh? Commutation and reversibility aren't needed as both sides can follow the same pattern: hash(hash(password+salt)+nonce)*. The server should have hash(password+salt) stored instead of the password itself, of course, and the client should know, be able to figure out, or be told the salt.

    That is how digest HTTP authentication scheme works, but it means that hash(password + salt) is sufficient to log in (if you appropriately tweak the client). With commutation, the client actually needs the original password.

    I might have lost the thread here. I thought we were talking about protecting against mitm replay attacks?

    @Dreikin said in WTF Bites:

    I doubt this will happen intentionally since what you want is basically a cryptographic hash algorithm with predictable collisions.

    Is it? How does it allow to find x and y such that x != y, but h(g(x)) == h(g(y))?

    Depends on the exact algorithm. But the ability to find identical haha with different inputs, as your abstract algorithm requires, is the definition of a collision. And to be useful there it has to be predictable.



  • @Bulb said in WTF Bites:

    @Dreikin said in WTF Bites:

    I doubt this will happen intentionally since what you want is basically a cryptographic hash algorithm with predictable collisions.

    Is it? How does it allow to find x and y such that x != y, but h(g(x)) == h(g(y))?

    RSA has that property, but that is reversible and for passwords that's a downside.



  • I launched an MS-DOS game at its native resolution and noticed that part of the top was getting cropped out.

    So I thought, maybe I can fix it in the monitor settings!

    0_1494942530202_IMG_20170516_153754.jpg

    Whoops! That's not supposed to look like that!

    Lowering the value (usually between 0 and 100) makes it wrap back to 999, and then again, and then again... It's at least 5035. I assume 65535?



  • @Dreikin said in WTF Bites:

    But the ability to find identical haha with different inputs, as your abstract algorithm requires

    I don't see where it requires identical hash with different inputs. It requires two different functions (most likely the same algorithm with different parameter, but not necessarily) applied to the same input in different order to yield the same result. But it is the same input. It does not require anything for different inputs.

    Note: I am treating the salt/nonce as parameter, not input. Any hash for this algorithm must treat the input (x) and salt/nonce as separate parameters. If it was to treat them as concatenation as most of the key derivation functions do, it would probably indeed mean ability to generate collisions. But with separate parameter I don't think it does.



  • @PleegWat said in WTF Bites:

    RSA has that property, but that is reversible and for passwords that's a downside.

    But we don't have to go full RSA. It is the exponentiation that has the property of being difficult to reverse, so just using the salt and nonce as the two exponents might do the trick.



  • @Bulb I think that has a significant risk of collisions if the exponent has a small prime factor?


  • Discourse touched me in a no-no place

    @PleegWat So you need to be careful in the selection of the nonce. There's some pretty good is-probable-prime functions out there that make this stuff easy once you go to numbers with a few thousand bits.



  • @PleegWat The server chooses the salts and nonces, so it can choose them as primes (or probably primes) with enough bits.

    Anyway; it is nice, but the digest authentication does not actually use it and when a firewall is doing a MITM against the connection, it can easily inject a keyboard-sniffing script, so this is of limited use.

    A well obfuscated script that does it's own public key verification and key exchange is probably better—though still not fool-proof. Admin can hack everything.


  • Winner of the 2016 Presidential Election

    @Bulb said in WTF Bites:

    Note: I am treating the salt/nonce as parameter, not input. Any hash for this algorithm must treat the input (x) and salt/nonce as separate parameters. If it was to treat them as concatenation as most of the key derivation functions do, it would probably indeed mean ability to generate collisions. But with separate parameter I don't think it does.

    Ah, okay. I didn't catch that.



  • @boomzilla said in WTF Bites:

    @ben_lubar said in WTF Bites:

    @ben_lubar Apparently nobody's ever reported any problem with vctip to Microsoft before?

    They did, but then MS reorganized the site and they were lost forever.

    I got an email overnight that my ticket was triaged and another saying it was edited, but I'm not sure if anything was changed during the edit other than the status.



  • @Bulb said in WTF Bites:

    @PleegWat The server chooses the salts and nonces, so it can choose them as primes (or probably primes) with enough bits.

    True. And the nonce is short-lived so there's not much attack time, while the salt remains secret when there's no attack so there's reduced attack surface.

    Anyway; it is nice, but the digest authentication does not actually use it and when a firewall is doing a MITM against the connection, it can easily inject a keyboard-sniffing script, so this is of limited use.

    There's actually some experimental RFCs published in the last month or two for optional HTTP authentication, and I think they're looking for additional authentication mechanisms to go along with it. I'd have to look up the numbers.

    EDIT: The RFC I was thinking about is https://tools.ietf.org/html/rfc8053



  • @dkf said in WTF Bites:

    So you need to be careful in the selection of the nonce.

    It's a toss-up between Gary Glitter and Rolf Harris.


  • Discourse touched me in a no-no place

    @coldandtired said in WTF Bites:

    It's a toss-up between Gary Glitter and Rolf Harris.

    This is making me laugh far harder than it should… :laughing:



  • @anonymous234 said in WTF Bites:

    I launched an MS-DOS game

    0_1494942530202_IMG_20170516_153754.jpg

    Ever considered switching to OpenXCom?


  • Winner of the 2016 Presidential Election

    Every time I order from Domino's (which is once a month), I instantly regret it. Not only because of the very mediocre pizza, but mostly because of their incredibly shitty website. Here's a quick walkthough:

    Step 1: Type dominos.de into your browser's address bar.

    0_1495025050033_dominos1.png

    :headdesk:

    Step 2: Well, okay, I'll prepend "www." for you and close the damn full-screen pop-up that tries to tell me about some useless coupon.

    Step 3: Now where do I log in again? Ah, there's a huge button saying "Anmelden" (= Log In). That's the correct one, right?

    0_1495025277490_dominos2.png

    If you study the page carefully, you'll notice that clicking that huge button (which I instinctively want to every single goddamn time) would subscribe me to their newsletter instead. Great UI there!

    Step 4: Admit defeat after looking for an actual "Log In" link for 20 seconds and just click the big red button that says "Order Now".

    Step 5: Now, on the next page, be extra-careful to make sure you don't miss the extra tiny "Log In" link in the upper right corner:

    0_1495025648631_dominos3.png

    Great job at directing my eyes everywhere except to the one link I actually need.

    Bonus :wtf:: The text in the upper left corner ("Online Bestellung") is grammatically incorrect; "Onlinebestellung" or "Online-Bestellung" would be correct. This is a great example of what is colloquially called an "idiot space" ("Deppenleerzeichen"); spaces in composite words are always wrong in German.

    Step 6: WHY THE FUCK DIDN'T YOU ALLOW ME TO USE A PASSWORD WITH MORE THAN 8 CHARACTERS, YOU DIPSHITS?

    Step 7: ???
    At this point, I'm too exhausted to continue. There are a lot more examples of extremely shitty UI/UX on that page, but the sheer amount of :wtf:ery you see before you're able to even log in has already made me close my browser, open a beer and weep profusely.


  • I survived the hour long Uno hand

    @asdf By contrast, here's their US site:

    Step 1: Type dominos.com into your browser's address bar. Get redirected to www.dominos.com
    Step 2: Nice straightforward header:

    0_1495026640512_d07cd6b4-397e-48c8-b835-e61059ea2ebb-image.png

    Step 3: Clicking "sign in" gets me:

    0_1495026692039_13692290-5cd0-4445-b622-8df032fc61a3-image.png


  • Winner of the 2016 Presidential Election

    @Yamikuronue That looks a lot more sensible.

    The really infuriating part is that their old website was fine. (Quick history lesson: Domino's bought a German pizza chain called "Joey's" last year, which is now the German "Donimo's".) Their old, pre-rebranding website had none of the issues I outlined above.


  • Winner of the 2016 Presidential Election

    Addendum: Actually, the really infuriating part is probably that their management attributes their (likely) drop in sales to the re-branding itself instead of the user-hostile website. I'd love to see the conversion rate; I'm pretty sure it's abysmal.


  • SockDev

    @Yamikuronue The UK site is almost identical



  • @asdf said in WTF Bites:

    f you study the page carefully, you'll notice that clicking that huge button (which I instinctively want to every single goddamn time) would subscribe me to their newsletter instead. Great UI there!

    Reminds me of Gmail.

    0_1495030191799_Capture.PNG

    "Three pixels smaller" version.

    0_1495030198209_Capture2-electricboogaloo.PNG

    I suspect this is because Google doesn't want you to log out. EVER . . .


  • SockDev

    @Zecc

    :notes:
    'Relax' said the Google,
    'We are programmed to receive.
    You can log out any time you like,
    But you can-

    Um... That doesn't work :sadface:


  • I survived the hour long Uno hand

    @RaceProUK Actually, it does insomuch as the song did. I mean, can you close a Google account?


  • SockDev

    @Yamikuronue Honestly, I've never tried



  • Hmmm... Trying in Incognito mode, I get a different version:

    0_1495031131866_Capture3.PNG


  • Impossible Mission Players - A

    @Zecc said in WTF Bites:

    Hmmm... Trying in Incognito mode, I get a different version:

    0_1495031131866_Capture3.PNG

    A/B testing ftw!



  • @Yamikuronue said in WTF Bites:

    @asdf By contrast, here's their US site:

    Step 1: Type dominos.com into your browser's address bar. Get redirected to www.dominos.com
    Step 2: Nice straightforward header:

    0_1495026640512_d07cd6b4-397e-48c8-b835-e61059ea2ebb-image.png

    Step 3: Clicking "sign in" gets me:

    0_1495026692039_13692290-5cd0-4445-b622-8df032fc61a3-image.png

    The only thing I ever get from Dominos is their pasta bread bowl. The pizza is crap; I could get equally good frozen pizza from the grocery store for cheaper (granted, I'd need to cook it myself then, but sticking a frozen pizza in the oven is not the pinnacle of cooking effort).


  • Impossible Mission Players - A

    @anotherusername said in WTF Bites:

    @Yamikuronue said in WTF Bites:

    @asdf By contrast, here's their US site:

    Step 1: Type dominos.com into your browser's address bar. Get redirected to www.dominos.com
    Step 2: Nice straightforward header:

    0_1495026640512_d07cd6b4-397e-48c8-b835-e61059ea2ebb-image.png

    Step 3: Clicking "sign in" gets me:

    0_1495026692039_13692290-5cd0-4445-b622-8df032fc61a3-image.png

    The only thing I ever get from Dominos is their pasta bread bowl. The pizza is crap; I could get equally good frozen pizza from the grocery store for cheaper (granted, I'd need to cook it myself then, but sticking a frozen pizza in the oven is not the pinnacle of cooking effort).

    From how my step-siblings react, it might be.... Making macaroni and cheese (from the box) was a near monumental effort!



  • @Tsaukpaetra said in WTF Bites:

    @anotherusername said in WTF Bites:

    @Yamikuronue said in WTF Bites:

    @asdf By contrast, here's their US site:

    Step 1: Type dominos.com into your browser's address bar. Get redirected to www.dominos.com
    Step 2: Nice straightforward header:

    0_1495026640512_d07cd6b4-397e-48c8-b835-e61059ea2ebb-image.png

    Step 3: Clicking "sign in" gets me:

    0_1495026692039_13692290-5cd0-4445-b622-8df032fc61a3-image.png

    The only thing I ever get from Dominos is their pasta bread bowl. The pizza is crap; I could get equally good frozen pizza from the grocery store for cheaper (granted, I'd need to cook it myself then, but sticking a frozen pizza in the oven is not the pinnacle of cooking effort).

    From how my step-siblings react, it might be.... Making macaroni and cheese (from the box) was a near monumental effort!

    Making macaroni and cheese from a box is like an order of magnitude more difficult than baking a frozen pizza.


  • Impossible Mission Players - A

    @anotherusername said in WTF Bites:

    @Tsaukpaetra said in WTF Bites:

    @anotherusername said in WTF Bites:

    @Yamikuronue said in WTF Bites:

    @asdf By contrast, here's their US site:

    Step 1: Type dominos.com into your browser's address bar. Get redirected to www.dominos.com
    Step 2: Nice straightforward header:

    0_1495026640512_d07cd6b4-397e-48c8-b835-e61059ea2ebb-image.png

    Step 3: Clicking "sign in" gets me:

    0_1495026692039_13692290-5cd0-4445-b622-8df032fc61a3-image.png

    The only thing I ever get from Dominos is their pasta bread bowl. The pizza is crap; I could get equally good frozen pizza from the grocery store for cheaper (granted, I'd need to cook it myself then, but sticking a frozen pizza in the oven is not the pinnacle of cooking effort).

    From how my step-siblings react, it might be.... Making macaroni and cheese (from the box) was a near monumental effort!

    Making macaroni and cheese from a box is like an order of magnitude more difficult than baking a frozen pizza.

    Ok, you got me there, it's three steps more. Could have said ramen noodles, but they're somewhat ok with nuking a bowl in the microwave.



  • @Tsaukpaetra said in WTF Bites:

    Could have said ramen noodles, but they're somewhat ok with nuking a bowl in the microwave.

    That's actually a pretty close comparison.



  • @Tsaukpaetra Best not tell them about the kind of ramen that involves boiling water on the stove (the only kind I've ever had actually).



  • @coderpatsy said in WTF Bites:

    @Tsaukpaetra Best not tell them about the kind of ramen that involves boiling water on the stove (the only kind I've ever had actually).

    They might not have microwave directions on the package, but you can still cook them in a microwave. All it really takes is dumping the water, flavor, and noodles into a microwave-proof container, so that the noodles are mostly submerged, and then nuking it until the water is hot and the noodles are soft, taking it out once or twice to give it a stir.



  • @asdf said in WTF Bites:

    If you study the page carefully, you'll notice that clicking that huge button (which I instinctively want to every single goddamn time)

    Why would you want to click a big RED button ??? You know what those do...



  • @dcon said in WTF Bites:

    @asdf said in WTF Bites:

    If you study the page carefully, you'll notice that clicking that huge button (which I instinctively want to every single goddamn time)

    Why would you want to click a big RED button ??? You know what those do...

    Take a second look at his screenshot... the

    @asdf said in WTF Bites:

    huge button saying "Anmelden"

    is neither "big" nor "red"... nor, in fact, is it what I'd consider "huge".

    In fact, the big red button says "JETYT BESTELLEN".



  • @anotherusername said in WTF Bites:

    Take a second look at his screenshot...

    :barrier: :post_office: etc. (actually I didn't look at the words since they're just a collection of random letters to me - requires far too much processing power at this point in my day)



  • @anotherusername said in WTF Bites:

    Take a second look at his screenshot...

    :barrier: :post_office: etc. (actually I didn't look at the words since they're just a collection of random letters to me - requires far too much processing power at this point in my day)



  • Comparing to Sweden where 99% of pizza places are local and only larger cities have any of the American chains. Last month we had a Pizza Hut open in the town where I work, but normal is every town/village got like 1 local pizza place/1000 people or something like that, often owned by immigrants. So that means that in my hometown of ~17000 I got (at least) 17 different places to get a pizza of varying styles and quality. And ofc 17 different websites and order forms (if available). There's a couple big national online services you can order through, but those only lists the places actually connected to them.


  • BINNED

    @anotherusername said in WTF Bites:

    In fact, the big red button says "JETYT BESTELLEN".

    Switched to QWERTZ by accident there?



  • WTF: So, I updated to Android O to see if it solved a Bluetooth issue I was having. It does. So, yay! on that part.

    Then I thought: "Let's see if the Assistant has become better at parsing sentences." It does not. In fact, it has become worse because if I tell it to "Create an appointment at the barber's on Friday at 01:30am" it plonks "at the barber's on Friday at 01:30am" into the title, leaving date and time blank.

    And, oh yes, doing "Create an appointment at 12 o'clock" does get the time right but then plonks "o'clock" into the title (to make this more understandable for non-Germans).

    I then thought to report this issue. And I noticed that there's a "Help and Chatsupport" button in the settings for my Pixel. So I selected that, described the issue and...

    ... promptly got told that this was a support line for Google Play. Okay. Makes no sense at all (there's no mention of that anywhere in the settings menu). Alright. Off to the support forums I guess.

    And then I get an email from Google about my chat support request. The pertinent part:

    If problems occur when using 'Ok Google' when using Google Assistant, please try the following steps:

    Jesus Christ. By the way, Cortana still does this flawlessly.



  • @Onyx said in WTF Bites:

    @anotherusername said in WTF Bites:

    In fact, the big red button says "JETYT BESTELLEN".

    Switched to QWERTZ by accident there?

    No, but I wanted someone to respond who knew that's a thing. :cookie:


  • Winner of the 2016 Presidential Election

    @Rhywden
    Has any of those assistants ever worked well with languages other than English?



  • @asdf said in WTF Bites:

    @Rhywden
    Has any of those assistants ever worked well with languages other than English?

    Have to ask a Korean that has a Samsung S8...



  • @asdf said in WTF Bites:

    @Rhywden
    Has any of those assistants ever worked well with languages other than English?

    As I said, Cortana does the same task flawlessly (and even manages to make the title make sense).

    Here's what I get when I'm telling her "Erstelle einen Termin für morgen um 13:00 Uhr beim Friseur":

    0_1495135993182_e10d0220-e99e-4453-b2e6-68a7d6ef544e-image.png

    If I leave some detail out she'll ask me for it and I can answer via voice if I want to. You'll note that the title isn't "beim Frisör" :)



  • @Rhywden

    You're going to terminate Estelle and Morgan at 1:00 and keep the bodies in the freezer?


  • Winner of the 2016 Presidential Election

    @RaceProUK said in WTF Bites:

    @Zecc

    :notes:
    'Relax' said the Google,
    'We are programmed to receive.
    You can log out any time you like,
    But you can-

    Um... That doesn't work :sadface:

    "never be free"?


  • Winner of the 2016 Presidential Election

    @Rhywden said in WTF Bites:

    Erstelle einen Termin für morgen um 13:00 Uhr beim Friseur

    Google's own translator gets it right:

    0_1495147327889_75bd3879-0294-427e-8f1a-026c110a36a4-image.png

    And the English Assistant does the right thing with that exact phrase:

    0_1495148135397_Screenshot_20170518-185029[2].png


  • Winner of the 2016 Presidential Election

    @hungrier said in WTF Bites:

    @Rhywden

    You're going to terminate Estelle and Morgan at 1:00 and keep the bodies in the freezer?

    No, he's doing it for ("für") Morgan. Can't you read:interrobang:



  • A colleague works on a project that has a 4500-line SQL query
    inside a perl script
    which calls several stored procedures
    which are all around 500 lines


  • Discourse touched me in a no-no place

    @homoBalkanus Is it possible to convince everyone that you know neither SQL nor Perl just so there's no chance of being asked to maintain that monstrosity?


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.