Oh, Muphry, do you know no bounds?



  • I was reading the list of the top 25 most dangerous software programming errors according to SANS when I linked off to the CWE website and read this article that contains the code shown below.
     
    int VerifyAdmin(String password) {
    if (passwd.Equals("68af404b513073584c4b6f22b6c63e6b")) {
    return(0);
    } //Diagnostic Mode
    return(1);
    }
     
    Software progamming error #26 (the syntax error).

     



  • @communist_goatboy said:

    I was reading the list of the top 25 most dangerous software programming errors according to SANS when I linked off to the CWE website and read this article that contains the code shown below.
     
    int VerifyAdmin(String password) {
    if (passwd.Equals("68af404b513073584c4b6f22b6c63e6b")) {
    return(0);
    } //Diagnostic Mode
    return(1);
    }
     
    Software progamming error #26 (the syntax error).

     

    Maybe it's just following the POSIX standard of returning zero for success and non-zero for error?  So if it returns zero, that means it successfully verified your admin status.  If it returns 1, that means it failed.
    </devil'sadvocate>


  • @DaveK said:

    Maybe it's just following the POSIX standard of returning zero for success and non-zero for error?  So if it returns zero, that means it successfully verified your admin status.  If it returns 1, that means it failed.
    </devil'sadvocate>

    Check the C++ example, I don't think that's their plan (Either that or the C++ example is the wtf instead).

     

    Maybe they just really don't want  anyone logging in with that specific password... a blacklist password system rather than whitelist, ingenious! =P

     



  • @DaveK said:

    @communist_goatboy said:

    I was reading the list of the top 25 most dangerous software programming errors according to SANS when I linked off to the CWE website and read this article that contains the code shown below.
     
    int VerifyAdmin(String password) {
    if (passwd.Equals("68af404b513073584c4b6f22b6c63e6b")) {
    return(0);
    } //Diagnostic Mode
    return(1);
    }
     
    Software progamming error #26 (the syntax error).

     

    Maybe it's just following the POSIX standard of returning zero for success and non-zero for error?  So if it returns zero, that means it successfully verified your admin status.  If it returns 1, that means it failed.
    </devil'sadvocate>

    I think, just maybe, he might be referring to the fact that the equals() method is called equals with a lower-case e, and not Equals(). Java is afterall a case-sensitive language.

    Minor wtf though if that's it.



  • @MHolt said:

    @DaveK said:
    @communist_goatboy said:

    int VerifyAdmin(String password) {
    if (passwd.Equals("68af404b513073584c4b6f22b6c63e6b")) {
    return(0);
    }
    //Diagnostic Mode
    return(1);
    }
    Maybe it's just following the POSIX standard of returning zero for success and non-zero for error?  So if it returns zero, that means it successfully verified your admin status.  If it returns 1, that means it failed.
    </devil'sadvocate>
    I think, just maybe, he might be referring to the fact that the equals() method is called equals with a lower-case e, and not Equals(). Java is afterall a case-sensitive language.
    Minor wtf though if that's it.
    Or perhaps to the fact that passwd isn't defined anywhere (and password isn't used)?

  • :belt_onion:

    @vyznev said:

    Or perhaps to the fact that passwd isn't defined anywhere (and password isn't used)?

    "passwd" is the global variable that you have to use. The "password" parameter only exists to confuse crackers. This is a well-known security pattern


  • @bjolling said:

    @vyznev said:

    Or perhaps to the fact that passwd isn't defined anywhere (and password isn't used)?

    "passwd" is the global variable that you have to use. The "password" parameter only exists to confuse crackers. This is a well-known security pattern
    Ahh yes, the anti-pattern pattern.  I try to live by it!


  • @bjolling said:

    @vyznev said:

    Or perhaps to the fact that passwd isn't defined anywhere (and password isn't used)?

    "passwd" is the global variable that you have to use. The "password" parameter only exists to confuse crackers. This is a well-known security pattern
    My mind is blown


  • @MHolt said:

    @DaveK said:

    @communist_goatboy said:

    I was reading the list of the top 25 most dangerous software programming errors according to SANS when I linked off to the CWE website and read this article that contains the code shown below.
     
    int VerifyAdmin(String password) {
    if (passwd.Equals("68af404b513073584c4b6f22b6c63e6b")) {
    return(0);
    } //Diagnostic Mode
    return(1);
    }
     
    Software progamming error #26 (the syntax error).

     

    Maybe it's just following the POSIX standard of returning zero for success and non-zero for error?  So if it returns zero, that means it successfully verified your admin status.  If it returns 1, that means it failed.
    </devil'sadvocate>
    I think, just maybe, he might be referring to the fact that the equals() method is called equals with a lower-case e, and not Equals(). Java is afterall a case-sensitive language.
    Minor wtf though if that's it.
     

    Perhaps this is C# where it is "Equals".



  •  @tster said:

    Perhaps this is C# where it is "Equals".

    On the site it's listed as a Java example.

    Not quite sure about their use of brackets around the return value - it's unnecessary. Or is that just a C++ habit translated to Java?

     



  • @PhillS said:

     @tster said:

    Perhaps this is C# where it is "Equals".

    On the site it's listed as a Java example.

    Not quite sure about their use of brackets around the return value - it's unnecessary. Or is that just a C++ habit translated to Java?

     

    In Java, the parentheses around the return value are purely optional and serve no actual purpose (some folks just like em)

     


  • Discourse touched me in a no-no place

    @snoofle said:

    @PhillS said:

    On the site it's listed as a Java example.

    Not quite sure about their use of brackets around the return value - it's unnecessary. Or is that just a C++ habit translated to Java?

    In Java, the parentheses around the return value are purely optional and serve no actual purpose

    Not that different to C++ in that respect, then.


  • @snoofle said:

    In Java, the parentheses around the return value are purely optional and
    serve no actual purpose (some folks just like em)

    Same for C++; I don't really remember any language where they are mandatory.

    Let's start a holy war about whether parentheses are prettier than no parentheses.



  • @Spectre said:

    Let's start a holy war about whether parentheses are prettier than no parentheses.
    Don't bother.  The Ruby community have that war with themselves every few months. Or maybe it's just one long war with surges of activity and periods of relative peace, like the Israeli/Palestinian conflict.



  • @PhillS said:

     @tster said:

    Perhaps this is C# where it is "Equals".

    On the site it's listed as a Java example.

     

    ah.  I tried to look at the site but it wasn't loading this morning when I tried.



  • @belgariontheking said:

    @bjolling said:

    @vyznev said:

    Or perhaps to the fact that passwd isn't defined anywhere (and password isn't used)?

    "passwd" is the global variable that you have to use. The "password" parameter only exists to confuse crackers. This is a well-known security pattern
    My mind is blown
    That means the pattern worked.


  • Re: Oh, Murphy, do you know no bounds?

    Of course Murphy's law is infinitely recursive.  It acts upon itself until entropy has reached a maximum.

    Witness the title of the original post.  (It took me a while to notice it.)



  • Muphry's Law is not Murphy's Law.


  • :belt_onion:

    @alegr said:

    @belgariontheking said:

    @bjolling said:

    @vyznev said:

    Or perhaps to the fact that passwd isn't defined anywhere (and password isn't used)?

    "passwd" is the global variable that you have to use. The "password" parameter only exists to confuse crackers. This is a well-known security pattern
    My mind is blown
    That means the pattern worked.
    Indeed, after such a statement I could have posted my credit card number + expiry date and BTK still wouldn't have been able to use it. I call it "secure commenting on a public entity" or "SCOPE". It'll be big once I get this approved as an ISO standard


  • @communist_goatboy said:

    Oh, Muphry, do you know no bounds?

    @communist_goatboy said:

    Software [b]progamming[/b] error #26 (the syntax error).
     

    Apparently not...



  • @lolwtf said:

     @Qwerty said:

    Of course Murphy's law is infinitely recursive.  It acts upon itself until entropy has reached a maximum.

    Witness the title of the original post.  (It took me a while to notice it.)

    Muphry's Law is not Murphy's Law.

    And besides that, Murphy's law isn't recursive.  To wit:

    @Murphy's law said:

    Anything that can go wrong, will go wrong

    @DaveK's Oh-no-you-don't-get-away-that-easily corollary to Murphy's law said:

    Except Murphy's law.



  • @DaveK said:

    @Murphy's law said:

    Anything that can go wrong, will go wrong

    @DaveK's Oh-no-you-don't-get-away-that-easily corollary to Murphy's law said:

    Except Murphy's law.

     

    How the heck can murphy's law go wrong?



  • @dtech said:

    @DaveK said:

    @Murphy's law said:

    Anything that can go wrong, will go wrong

    @DaveK's Oh-no-you-don't-get-away-that-easily corollary to Murphy's law said:

    Except Murphy's law.

     

    How the heck can murphy's law go wrong?

    Exactly. Therefore Murphy's Law doesn't apply to itself: it isn't recursive, like DaveK said.


  • @Zecc said:

    Exactly. Therefore Murphy's Law doesn't apply to itself: it isn't recursive, like DaveK said.
     

    Murphy's law is recursive. Logic:

    Mx = Murphy's Law for some object x
    cx = x can go wrong
    wx = x will go wrong

    We have property Mx that states:  cx → wx        (or
    if property cx then property wx       or
    if something can wrong it will go wrong)

    So:
    (cx ∧ Mx) → wx   (if something can go wrong and Murphy's law is correct for that something that something will go wrong)

    Note that Mx doesn't say anything about the case ¬cx

    If we replace the x with Murphy's law (or anything else that can't go wrong) Murphy's law is still valid for that thing, since Murphy's law doens't say anything about that thing.



  • @dtech said:

    If we replace the x with Murphy's law (or anything else that can't go wrong)
    Murphy's law is still valid for that thing, since Murphy's law doens't say
    anything about that thing.

    But Murphy's law can go wrong, can't it?



  • Now that I think of it, if it can go wrong, it most certainly does not apply to itself. If it can go wrong [b]and[/b] applies to itself, then it will go wrong, which means it doesn't apply to anything, hence a contradiction.


Log in to reply