|
Flobbster posted:the joke He just didn't reach the threshold.
|
#
?
Oct 25, 2014 15:17
|
|
|
|
| # ? Apr 26, 2024 12:16 |
|
|
Flobbster posted:the joke tbh I'd prefer not getting that joke actually.
|
|
#
?
Oct 25, 2014 15:35
|
|
|
Thermopyle posted:http://mobilesecurityares.blogspot.com/2014/10/why-samsung-knox-isnt-really-fort-knox.html?m=1 At the same time, this doesn't seem like a sound conclusion (even though it happened to be right): quote:If the PIN is correct the Knox app will show you a little password hint (the first and the last character of your password!! + the original length of your password!). So now it is pretty obvious that Samsung Knox is going to store your password somewhere on the device!
|
|
#
?
Oct 25, 2014 15:48
|
|
|
Bruegels Fuckbooks posted:Probably being a master of the obvious here, but if your java code cares about the version of windows that its running on, you've clearly chosen the wrong tool for the job. You're overthinking it. Java is always the wrong tool for the job. 
|
|
#
?
Oct 25, 2014 16:36
|
|
|
So my coworker found something special in our product today:code:
|
|
#
?
Oct 25, 2014 20:00
|
|
|
I wish more languages would consider unreachable code a compile-time error.
|
|
#
?
Oct 25, 2014 21:08
|
|
|
Bognar posted:I wish more languages would consider unreachable code a compile-time error. code:
|
|
#
?
Oct 25, 2014 23:21
|
|
|
Steve French posted:At the same time, this doesn't seem like a sound conclusion How else could they provide those password hints without keeping an un-hashed version of the password somewhere?
|
|
#
?
Oct 25, 2014 23:23
|
|
|
Wardende posted:How else could they provide those password hints without keeping an un-hashed version of the password somewhere? By storing.. the first and last character with the length..? I thought the same thing to be honest. I mean yeah they were right in this case, and security is known for being really lovely almost all of the time, but in any other scenario that would have been a pretty big leap. Edit: vvv I'unno! The majority of sites that store credit card info like paypal store the last 4 digits as a "make sure this is the right card you're using" measure. It's just that as I mentioned above, this field is a lot more hit than miss. Jewel fucked around with this message at 00:23 on Oct 26, 2014 |
|
#
?
Oct 25, 2014 23:40
|
|
|
Jewel posted:By storing.. the first and last character with the length..? I thought the same thing to be honest. I mean yeah they were right in this case, and security is known for being really lovely almost all of the time, but in any other scenario that would have been a pretty big leap. if youre dumb enough to provide that kind of information, youre probably dumb enough to do it in a wildly insecure way.
|
|
#
?
Oct 26, 2014 00:00
|
|
|
Jewel posted:By storing.. the first and last character with the length..? I thought the same thing to be honest. I mean yeah they were right in this case, and security is known for being really lovely almost all of the time, but in any other scenario that would have been a pretty big leap. Revealing two characters and the total length to an attacker seems like it would reduce the entropy of the hash by quite a bit, so while that's better than storing the full plaintext password, I think it would still qualify as a security horror.
|
|
#
?
Oct 26, 2014 00:49
|
|
|
Wardende posted:Revealing two characters and the total length to an attacker seems like it would reduce the entropy of the hash by quite a bit, so while that's better than storing the full plaintext password, I think it would still qualify as a security horror. Absolutely still a security horror, I just pointed that out as a lack of rigor in the analysis that caught my eye.
|
|
#
?
Oct 26, 2014 05:23
|
|
|
I was working on something in Android recently where I wanted to make sure that I only re-computed the layout or something if the matrix I was using changed. I wanted to make sure that android.graphics.Matrix had a sane implementation of equals(), so I checked the source, and it does. Great. Then my eyes panned down to their implementation of hashCode(): code:code:Flobbster fucked around with this message at 17:16 on Oct 26, 2014 |
|
#
?
Oct 26, 2014 17:12
|
|
|
Allocating in hashCode sounds like a horror to me.
|
|
#
?
Oct 26, 2014 18:27
|
|
|
Subjunctive posted:Allocating in hashCode sounds like a horror to me. Fair point. Keep a static thread-local array around for hashing then. Which is really just the long way around implementing the loop manually instead of using Arrays.hashCode
|
|
#
?
Oct 26, 2014 18:42
|
|
|
My friend was showing me her group's work for her software dev class. Let's play "spot what's wrong with this code"!C# code:C# code:C# code:C# code:
Pollyanna fucked around with this message at 16:35 on Oct 27, 2014 |
|
#
?
Oct 27, 2014 05:26
|
|
|
Well, that's why student code is kind of out of bounds for this thread. They have a valid excuse for not knowing better
|
|
#
?
Oct 27, 2014 06:01
|
|
|
Well I've got bad news. Like many of the coders discussed in this thread, many of the posters don't perform any bounds-checking as well.
|
|
#
?
Oct 27, 2014 06:16
|
|
|
I don't really know where else to post this but let's say you have a function f: Z x N -> Bool Taking a mask m in Z and checking if some property n in N is set. A simple implementation would be f(m,n) = m & (1<<n). Now think of a really inefficient but always halting implementation. I was thinking of doing something with a power tower or Ackerman's function. KaneTW fucked around with this message at 00:11 on Oct 28, 2014 |
|
#
?
Oct 27, 2014 09:31
|
|
|
KaneTW posted:I don't really know where else to post this but let's say you have a function I think you mean f(m,n) = m & (1<<n).
|
|
#
?
Oct 27, 2014 21:02
|
|
|
now flip the parameter order and curry it
|
|
#
?
Oct 27, 2014 23:08
|
|
|
sarehu posted:I think you mean f(m,n) = m & (1<<n). Yeah, been a while since I last used a bitfield.
|
|
#
?
Oct 28, 2014 00:11
|
|
|
KaneTW posted:I don't really know where else to post this but let's say you have a function Ackermann works I guess? Python code:
|
|
#
?
Oct 28, 2014 03:31
|
|
|
NtotheTC posted:I thought version tuples (or the bash equivilent) were a thing everywhere. Or is this just my spoiled python background? The problem is that version strings can also contain letters or other symbols where the meaning isn't obvious. Debian package versions are a good example of an utterly perverse, but at least generally consistent versioning scheme that has the ability to encode an upstream "decimal" version number internally while also providing for package versions and version epochs. I find most version strings conform to a subset of what Debian uses, and in the rare instances where I have to compare them in shell, "dpkg --compare-versions" is pretty nifty.
|
|
#
?
Oct 28, 2014 05:43
|
|
|
On the subject of versions, an in house app team has gone to the effort of updating their code to return a screenshot of how to enable compatibility mode on their lovely Adobe Flex application instead of barfing an "Oops!!! This app only works in IE7 or higher!!!" if anyone with IE10 accessed it, somehow managing to avoid actually fixing the compatibility issues or setting the X-UA-Compatible meta tag to force compatibility by default without user action. IE10 is the company standard (at last) and this application is used continuously, I am wasting literally minutes a week flipping between modes 
|
|
#
?
Oct 28, 2014 11:05
|
|
|
Found in code at work.code:
|
|
#
?
Oct 28, 2014 13:22
|
|
|
Powerful Two-Hander posted:On the subject of versions, an in house app team has gone to the effort of updating their code to return a screenshot of how to enable compatibility mode on their lovely Adobe Flex application instead of barfing an "Oops!!! This app only works in IE7 or higher!!!" if anyone with IE10 accessed it, somehow managing to avoid actually fixing the compatibility issues or setting the X-UA-Compatible meta tag to force compatibility by default without user action. I dunno if it applies to your situation, but if your Flash widget is in a page that's iframed into a page that sets an older UA version (or doesn't set one) then the iframe inherits the rendering mode no matter what it tries to set UA mode to, so it's possible that's the only solution sometimes.
|
|
#
?
Oct 28, 2014 16:17
|
|
|
NinjaDebugger posted:Found in code at work. The horror is that it isn't covered in the tests, right?
|
|
#
?
Oct 28, 2014 16:41
|
|
|
Munkeymon posted:I dunno if it applies to your situation, but if your Flash widget is in a page that's iframed into a page that sets an older UA version (or doesn't set one) then the iframe inherits the rendering mode no matter what it tries to set UA mode to, so it's possible that's the only solution sometimes. That is one possibility, though it's served through an internal portal that has the ability to inject any specified custom header into pages served through a given web root so even that can be overriden as well, in fact with less effort. Of course, the real horror is flex.
|
|
#
?
Oct 28, 2014 16:44
|
|
|
Newf posted:The horror is that it isn't covered in the tests, right? No, the horror is that it's a static function. Developer should have made an IDoulbeSquarer interface and injected the implementation. It's all about maintainability, people. 
|
|
#
?
Oct 28, 2014 19:12
|
|
|
MSDN: About Menusquote:If a menu is assigned to a window and that window is destroyed, the system automatically destroys the menu and its submenus, freeing the menu's handle and the memory occupied by the menu. The system does not automatically destroy a menu that is not assigned to a window. An application must destroy the unassigned menu by calling the DestroyMenu function. Otherwise, the menu continues to exist in memory even after the application closes. To end the calling thread's active menu, use EndMenu. If a platform does not support EndMenu, send the owner of the active menu a WM_CANCELMODE message. What? Is this true? Or is it some Windows 95 remnant?
|
|
#
?
Oct 28, 2014 19:20
|
|
|
NFX posted:MSDN: About Menus Pretty much all of the Windows GUI/GDI subsystem is a Windows 3.1/95 remnant.
|
|
#
?
Oct 28, 2014 19:46
|
|
|
I did two days of unit testing training with one of my clients last week. It was pretty great, they went from not understanding the difference between a unit test and an integration test to actively discussing the pros and cons of methods of IOC and how they're going to tackle isolating their dependencies going forward. However, they had a consultant go in and write them a shitload of "unit" tests 4 or 5 years ago. The consultant didn't understand unit testing, they didn't understand unit testing, and no one really cared about the results enough to run them, anyway. They have about 800 tests, 300 fail because of database dependencies. They do have some unit tests in there, though, and some of them are theoretically valuable. They asked me to take a look at their tests and ferret out the real unit tests and see if any of the integration tests are salvageable. It's a worthless task, but hey, it's billable work.  Not surprisingly, most are not. However, I came across one little corner of the application where someone chose to use Spring .NET for IOC. I was shocked! They wrapped Spring .NET up in a factory, so you can request an object, and Spring gives you back the appropriate implementation as defined in an XML file. I'm pretty much totally unfamiliar with Spring .NET, but the approach seemed solid. Their factory class is a singleton. In the constructor, they use the following logic to determine where to read the configuration XML from: code:So their IOC container is tightly coupled to a database and an installation of some software on the machine where the tests are going to run. Minimum.
|
|
#
?
Oct 28, 2014 21:39
|
|
|
NFX posted:MSDN: About Menus hackbunny in the yospos plang thread posted:I actually forgot the best, most insane part. a ton of UI syscalls can call back into user mode. oh yes virginia, you read that right. user -> kernel -> user calls
|
|
#
?
Oct 28, 2014 22:44
|
|
|
NFX posted:MSDN: About Menus Window menus are kernel objects and are rendered in kernel mode.
|
|
#
?
Oct 28, 2014 23:08
|
|
|
But surely I can't crash the kernel by just calling CreateMenu() a bazillion times and never cleaning up? That would as crazy as causing BSODs by closing a program at the wrong time. Those posts by hackbunny are cool, by the way.
|
|
#
?
Oct 28, 2014 23:45
|
|
|
i freakin hate my coworker's code because it's full of poo poo likeC code:
|
|
#
?
Oct 28, 2014 23:54
|
|
|
A long time ago (early XP times I think) I managed to find a BSOD (null ptr dereference) because of unvalidated parameters to one of the kernel-mode variants of StretchBlt. There is still a lot of bad poo poo there. Also I wish they rewrote win32k.sys so it didn't keep everything in a global state but... probably not going to happen anytime soon.
|
|
#
?
Oct 28, 2014 23:54
|
|
|
NFX posted:But surely I can't crash the kernel by just calling CreateMenu() a bazillion times and never cleaning up? Of course not
|
|
#
?
Oct 29, 2014 00:25
|
|
|
|
| # ? Apr 26, 2024 12:16 |
|
|
Illusive gently caress Man posted:i freakin hate my coworker's code because it's full of poo poo like That's some ugly-rear end workarounds for type punning, I think. I've played games like that when dealing with structured data on the wire, but I try to isolate it to a single function that's very clearly unpacking a char* buf into a C-struct. I think it's doing this: C code:C code:
|
|
#
?
Oct 29, 2014 00:40
|
|
