|
code:
|
#
?
Aug 22, 2022 16:11
|
|
|
|
| # ? Apr 28, 2024 04:52 |
|
|
green?
|
|
#
?
Aug 23, 2022 06:01
|
|
|
you got a problem put in a pull request
|
|
#
?
Aug 23, 2022 21:14
|
|
|
nvrgrls posted:you got a problem put in a pull request reminds me of something i came across today quote:"I have tested this a fair amount but clearly more tests are needed," Kernighan wrote in the email, posted in late May as a kind of pseudo-commit on the onetrueawk repo by longtime maintainer Arnold Robbins. "Once I figure out how ... I will try to submit a pull request. I wish I understood git better, but in spite of your help, I still don't have a proper understanding, so this may take a while."
|
|
#
?
Aug 23, 2022 21:33
|
|
|
leadership and power lead directly to the inability to learn anything, volume MCCXI
|
|
#
?
Aug 24, 2022 05:10
|
|
|
hell project status update: we are using one of our company's proprietary engine which is perfectly serviceable and does a bunch of things well, but the project suffers from massive NIH and is slowly using "our architecture ~vision~" as a pretext to needlessly replace mature systems from that engine that solves many problems pretty well with half-assed reimplementations and a couple months into the project it's already driving me crazy
|
|
#
?
Aug 24, 2022 11:23
|
|
|
the last developer on the team responsible for our key strategic product just announced they are quitting, going to have to get my job search into full gear I think.
|
|
#
?
Aug 24, 2022 15:00
|
|
|
distortion park posted:the last developer on the team responsible for our key strategic product just announced they are quitting, going to have to get my job search into full gear I think. good for them !
|
|
#
?
Aug 24, 2022 15:12
|
|
|
distortion park posted:the last developer on the team responsible for our key strategic product just announced they are quitting, going to have to get my job search into full gear I think. congrats on your promotion to lead strategic product dev
|
|
#
?
Aug 24, 2022 16:07
|
|
|
Powerful Two-Hander posted:also I pulled the latest logs to send to everyone involved in this stupid issue and noticed that in one batch we sent 3 files then got "token expired" for the rest within a timespan of like a few seconds, but the expiry date given was an hour in the past 5 days later I got them to actually look at the code and after admitting that they "don't know where the library we're using came from" they decompiled it and it's an idiot caching mechanism that checks for the age of the provided token if the token exists in cache, but it's not clear what that expiry actually is. Even better though, if the token in the cache has "expired" it just throws an exception it doesn't actually validate and cache the new token , so basically if you ever supply the same token twice (like if you just supply the account name and password) you're in a crapshoot as to whether the seemingly random expiry has been hit and whether your call works or not but what this does mean is that spamming retries might actually work.
|
|
#
?
Aug 24, 2022 16:11
|
|
|
Powerful Two-Hander posted:5 days later I got them to actually look at the code and after admitting that they "don't know where the library we're using came from" they decompiled it and it's an idiot caching mechanism that checks for the age of the provided token if the token exists in cache, but it's not clear what that expiry actually is. 
|
|
#
?
Aug 24, 2022 16:33
|
|
|
Powerful Two-Hander posted:after admitting that they "don't know where the library we're using came from" they decompiled it
|
|
#
?
Aug 24, 2022 17:14
|
|
|
lmao at admitting that
|
|
#
?
Aug 24, 2022 17:31
|
|
|
Carthag Tuek posted:lmao at admitting that people admit to and are even proud of the dumbest poo poo. colleague at a past gig had been responsible for their iam infrastructure for years doing everything by hand, from building to deploying to operating services. acted like it was unreasonable to config manage an environment that was only a half dozen servers and a dozen services and was proud of constantly having to hero the shitshow he made dude would also proudly talk about how the shibboleth deployment was stuck on a hella old version because he wrote a plugin that the deployment depended on, then lost the source. he of course blamed everything on not having enough time to do everything that needed to be done.
|
|
#
?
Aug 24, 2022 17:38
|
|
|
ah and I bet they are using a load balancer as well which is why the "expiry time" is anything from 30 minutes to 23 hours - must be hitting different server so even sequential retries are no guarantee that you'll get a success (if the cache has "expired" the key is removed so if you try and fail a retry to the same cache should succeed because if there's no cache hit the token gets validated and added to it) I think other service users are getting round this because they're using our hosed up LDAP token generation tool that (I was told) only exists because we won't pay for a proper directory system that lets windows and Unix hosts negotiate or something, and that generates a new token every time. Powerful Two-Hander fucked around with this message at 17:41 on Aug 24, 2022 |
|
#
?
Aug 24, 2022 17:39
|
|
|
mystes posted:the actual brokenness is good too but this is my favorite part yeah I gave them a bit of a bollocking for that. The team that are supposed to be the ones that manage the authentication environment contributed by pulling up an implementation guide that was so old that it targeted dotnet 2.0, and then admitted that they didn't know what that did either
|
|
#
?
Aug 24, 2022 17:40
|
|
|
i gotta say, that's a pretty impressive shitshow you've got there
|
|
#
?
Aug 24, 2022 18:47
|
|
|
can you just add some poo poo to the token so that it busts the cachebut doesn't break auth? whats the cache key? they're probably just using some dumb poo poo like code:
|
|
#
?
Aug 24, 2022 19:37
|
|
|
invalid authentication attempts might cause spurious warnings on IDS detection systems so it might give the security people headaches then again, that could be a plus if you dislike security people also, this assumes that someone or something is actually reviewing logs
|
|
#
?
Aug 24, 2022 21:27
|
|
|
Corla Plankun posted:can you just add some poo poo to the token so that it busts the cachebut doesn't break auth? whats the cache key? no because get this, they check if the item is in cache by comparing both parts post decode. There's no source validation, it's just "does username and pass match any other cache item", and if it does they just assume valid. I can't be bothered to check right now but idk if it is actually failing if any token is sent twice or the expiry amount is somehow linked to it honestly how this ended up being used is a mystery to me, it's like 5 lines to do the validation with a basic LDAP bind that negates all of this
|
|
#
?
Aug 24, 2022 21:29
|
|
|
sb hermit posted:invalid authentication attempts might cause spurious warnings on IDS detection systems so it might give the security people headaches new plan: spam this with spurious auth attempts until they have to explain their crimes to the security team Powerful Two-Hander posted:no because get this lmao and oof
|
|
#
?
Aug 24, 2022 21:32
|
|
|
Corla Plankun posted:new plan: spam this with spurious auth attempts until they have to explain their crimes to the security team we're literally patching all our components tomorrow to spam retries on failure, idk if it will get picked up though because they're not actually using non-cached tokens to do a bind they just throw them away. the only way I can see that this hasn't been a problem is that nobody has ever tried to send the same token outside the expiry time, either because they use a fresh one every time or just dumb luck
|
|
#
?
Aug 24, 2022 21:37
|
|
|
btw the "actual" solution is, and I'm not making this up, "do an impersonation logon with the account, then call this other blackbox dll installed on the host to get a temporary token, then send that instead of the actual account password". but I wasn't going to do that until I'd established what the hell was going on because, as I told them, "computers don't just do stuff for no reason"
|
|
#
?
Aug 24, 2022 21:48
|
|
|
so are you documenting this, other than in this thread i mean, or are you keeping it to yourself for enhanced (job) security?
|
|
#
?
Aug 24, 2022 21:53
|
|
|
Deep Dish Fuckfest posted:so are you documenting this, other than in this thread i mean, or are you keeping it to yourself for enhanced (job) security? oh yeah. I already sent an all seniors chat saying "btw if you do this then you get random failures" because we're supposed to be doing a mass migration to this service by end of next month (!) also to satisfy Bob Dobbs, I have an accidental semi interview tomorrow on account of someone I used to work with on the user side hitting me up but idk what it actually is, except that the person I'm talking to is an MD sooooo
|
|
#
?
Aug 24, 2022 22:00
|
|
|
Powerful Two-Hander posted:the person I'm talking to is an MD sooooo Excellent, even if you accept well have plenty of content for the thread
|
|
#
?
Aug 24, 2022 22:16
|
|
|
Gaukler posted:Excellent, even if you accept we’ll have plenty of content for the thread it will never stop, this I can promise. it's like I'm magnetically attracted to bad code and dumb ideas
|
|
#
?
Aug 24, 2022 22:18
|
|
|
good money, interesting work, ethically clean-ish choose two
|
|
#
?
Aug 24, 2022 22:22
|
|
|
at most two
|
|
#
?
Aug 24, 2022 22:32
|
|
|
Corla Plankun posted:
|
|
#
?
Aug 24, 2022 23:03
|
|
|
im not even gonna say it. i'ma like telepathically voice it at you
|
|
#
?
Aug 25, 2022 00:40
|
|
|
Sapozhnik posted:good money, interesting work, ethically clean-ish add a couple letters and you can have all three 
|
|
#
?
Aug 25, 2022 02:50
|
|
|
 huh using the mdoc macros is actually really easy and now i can set MANPATH to "$PWD/man:$MANPATH" and look up documentation ive written in the terminal without a thought i always avoided learning how to write manpages because troff looked like hell but i learned enough of it in an evening to be content, would recommend matti fucked around with this message at 03:37 on Aug 25, 2022 |
|
#
?
Aug 25, 2022 03:33
|
|
|
MANPATH
|
|
#
?
Aug 25, 2022 04:28
|
|
|
mdoc is pretty good
|
|
#
?
Aug 25, 2022 04:52
|
|
|
M'DOC  MODOK 
|
|
#
?
Aug 25, 2022 05:18
|
|
|
MrQueasy posted:M'DOC thats i
|
|
#
?
Aug 25, 2022 05:19
|
|
|
https://illumos.org/man/3C/getopt https://illumos.org/man/3C/getopt_long sun always wrote good documentation matti fucked around with this message at 06:27 on Aug 25, 2022 |
|
#
?
Aug 25, 2022 06:23
|
|
|
https://www.man7.org/linux/man-pages/man3/getopt.3.html gently caress whatever this is
|
|
#
?
Aug 25, 2022 06:28
|
|
|
|
| # ? Apr 28, 2024 04:52 |
|
|
sb hermit posted:MANPATH i write `man date` a couple of times a year
|
|
#
?
Aug 25, 2022 06:53
|
|