p

p, 1 day ago

@jeru @FailurePersonified

> PHP
> Node
whoahoahsinternally.jpg

p, 1 day ago

@kura @FailurePersonified @jeru

#!/usr/bin/awk
BEGIN{ORS="\r\n";print "Content-Type: text/plain";print "";while(1){print "You must be thinking of awk."}}

p, 2 days ago

@taylan Another thread where you've tagged me out of nowhere. I really must have struck a nerve. Was it when I called you wispy?

:strangelovesmug: You are going to want to pay attention to this part :strangelove: to save yourself some time: I told you I was gonna just send the robot if you keep begging for attention. The robot only sends messages when you tag me. The robot sends more messages the more frequently you tag me. If you do not go out of your way to try to get my attention, then it sits there, inert. As it has a delay between messages, if you send enough messages, it will take a while for it to finish, so just have a bit of patience. You can block me, instance-block my account, or just resist the urge to waste my time, and if you do any of those, the bot does not talk to you. In any case, I do not want to talk to you and I have delegated the task of replying to you to a machine. Most people do not have any impulse to seek out people they claim to find unpleasant, and even less so when those people tell them to go away: the bot is designed for people like you. Your life will be better if you spend your time talking to people you actually do want to talk to, but for my part, I have delegated interactions with you to the bot, so the problem is fixed from my end.

> chat with my gf, go to sleep, wake up, exchange more loving messages with her, take a shower, cuddle my cat,

Fuckin' called it. You've never met her. I wish I'd made a bet with 0. (Also the way you phrased it is creepy. I get the feeling you're a little more "Elliot Roger" than "Josef Fritzl", but in either case, I expect you'll be on the news at some point.)

> RENT. FREE.

It's not exactly rent-free if you have to keep tagging me to get attention. You realize that, right? If you follow me around and I tell you to go away, that's not "rent-free". You notice I've never gone looking for you to talk to you? Do you notice me tagging you out of nowhere, or any mention of you since the last time you came to bother me?

> He will now respond to this with "I thought you muted me" because he doesn't know Husky shows a thin line for muted messages mentioning you.

It's real strange to say "I HAVE MUTED YOU SO I CAN'T HEAR YOU" and then go out of your way to tag me again, and then this bit, like...I don't know what it is, it reads like you attempting to gloat that you can click a button to not see messages from me, but that you can see them anyway. I have no idea what point you're trying to make by saying "I covered my eyes because I didn't want to see, but then I peeked through my fingers! This plan has astonished him!"
costumed_nemesis.mp4

costumed_nemesis.mp4

p, 2 days ago

@taylan @Hyolobrika

> He said "passwords are just strings of bytes and should not be processed in any way" and I pointed out to him that this is wrong, because often they're Unicode character sequences.

You narrowed the discussion to the web, and passwords are treated as character sequences on the web. Your objections were stupid, and I probably would have dismissed the entire concept if I hadn't looked found the RFC.

> and that it's cool to be arrogant and mock other people for supposedly being wrong about something.

Go re-read the thread. I kept saying "Hey, let's not have a stupid argument, let's try to sort it out" and you kept flinging insults.

> Unsurprisingly he also seems to be surrounded with racist and sexist men. It's machismo all the way down.

Shh, nobody tell him.

p, 2 days ago

@0 @Hyolobrika @taylan
against_women.jpg

p, 1 day ago

@pernia @f0x @0 @Owl @bot @chog9 @sun @syzygy What, you never drank dnL?

p, 1 day ago

@pernia @0 @Owl @bot @chog9 @f0x @sun @syzygy It was a green 7up, it was caffeinated. It was called dnL because the can had the 7up logo inverted.

p, 3 days ago

@prettygood I can't help it if PHP sucks, you'll have to take it up with Rasmus Lerdorf.

echo '++++[->++++<]>[-<+++++>>+++++++>++<<]<------.>>+++++.--.+.>.<[-<+>>>+<<]>[--<++>>-<]>---.+++++++++++++.+.<<<.>>>-------.---.<<<--.>.>>+++.-------.++.+
+[->+<<+>]>++++++.<<.<<.>[-<<->>]<<++++.[>>>--<<<-]>>>+.' | sed -E 's/(.)/\1\n/g' | awk 'BEGIN{print "BEGIN{p=0;"}END{print "}"}/\./{print "printf \"%c
\",a[p]"}/\+/{print "a[p]++"}/-/{print "a[p]--"}/</{print "p--"}/>/{print "p++"}/\[/{print "while(a[p]){"}/\]/{print "}"}' | awk -f /dev/fd/0

p, 3 days ago

@lanodan @prettygood

> Copy-pasta error?

Ah, shit, yes. I just grabbed it out of the DB.

echo '++++[->++++<]>[-<+++++>>+++++++>++<<]<------.>>+++++.--.+.>.<[-<+>>>+<<]>[--<++>>-<]>---.+++++++++++++.+.<<<.>>>-------.---.<<<--.>.>>+++.-------.++.++[->+
<<+>]>++++++.<<.<<.>[-<<->>]<<++++.[>>>--<<<-]>>>+.' | sed -E 's/(.)/\1\n/g' | awk 'BEGIN{print "BEGIN{p=0;"}END{print "}"}/./{print "printf "%c",a[p]"}/+/{p
rint "a[p]++"}/-/{print "a[p]--"}/</{print "p--"}/>/{print "p++"}/[/{print "while(a[p]){"}/]/{print "}"}' | awk -f /dev/fd/0

p, 2 days ago

@lanodan @prettygood Ha, thanks, I had just been talking logfile analysis in a DM thread, and ended up doing similar, a pipe into an awk program that generated another awk program. (Used one datasource to build the program, then shipped the program to another machine to run there.)

(I didn't implement , but that's not too hard to do.)

p, 3 days ago

@grips Haha, holy shit.

:erdossmug: "The Erdos of arguing on fedi."

p, 5 days ago

@lanodan @r000t @teratology

> Heh, for SMTP here I use ssh: sendmail = ssh server_machine sendmail in mutt/gitconfig/…

:tyrellsmug:

(Does not work so great without keys or with weird mail clients, though. My mail server being on the LAN, though, I can whitelist its IP on the exim relay list.)

> for the complete idiots that tend to pester me everytime:

I didn't know that there are people that both (1) know that Sendmail is a mess and (2) don't know that the sendmail program became a de facto interface. I am disappointed by new things every day.

$ pkginfo -o $(which sendmail)
Package File
exim usr/sbin/sendmail

p, 5 days ago

@0 @mint @r000t @tinfoil@social.tinfoil-hat.net The ultimate in security. No one has access. It's second only to the computer being completely off and unplugged.

(Incidentally, the TPi2's BMC is so low-power that it will boot from the trickle supplied when the PSU is off. If you unplug it, it will stay up for a few seconds.)

p, 5 days ago

@r000t @tinfoil@social.tinfoil-hat.net @0 @mint

> The list is given in order of popularity,

Popularity amongst people that don't automatically nuke the debian popularity contest package immediately.

apt-get install ed nvi build-essential mawk; apt-get purge nano '*popularity*' 'vim*'

p, 4 days ago

@taylan @Suiseiseki @romin @sun

> because it's invisible to the client,

They do cite RFC 6943 in RFC 7613 because RFC 6943 is ignored only at your own peril.

> it specifies the character encoding that should be used

And a surprising amount of normalization to prevent issues with identical-looking tokens.

> Mate, that sounds like projection.

"No computer works with 21-bit bytes" is not even wrong.

> What's your point?

The machine's word size has nothing to do with UTF-8 or wire encoding. The network does not operate on bytes, either. I'm not even sure what you would have to believe in order to produce that sentence.

> If int happens to be 32 bits (or you specifically go with uint32_t[]) then I think that literally gives you the encoding called UTF-32.

The in-memory representation is not a wire encoding, confusing the two will cause you trouble, you've got to do the translation regardless. (You probably have UTF-32LE, but only by coincidence and not portably: hop machines and it might end up being UTF-32BE.)

> you have to make a choice on how to represent a series of at-most-21-bit non-negative integers in digital memory that is addressed in 8-bit units.

Yes; I'm not sure what the point of saying "the data has to sit in memory in some form" is, though.

> It feels like you're scrambling to find anything in my post to object to just so you can argue.

You've said a lot of things that seem wrong, irrelevant, or meaningless; I'm not sure we even have a clear topic of discussion. Apparently my responses to things you say look irrelevant. The implicit assumption if someone says something to you is that it's relevant, they're addressing you for some reason: there's something you want to figure out or there's something you think I don't know or something you think I'm wrong about, so I read it like that. It might be the case that we're talking past each other while endlessly clarifying ourselves, which would probably explain it. (Any other explanation I can come up with for why a kid would try to tell me how bytes get across a network would make conversing with you pointless, and "We've misunderstood each other" still fits and is compatible with an assumption of good faith.) Aside from that, as I keep noting, I lost interest when I found out the topic is just typing things into a web browser¹; maybe being halfway checked out has contributed to the miscommunication. (Although I hadn't read RFC 7613 until this conversation, so I can't say that it's been a worthless conversation.)

If I step back a second, the only points I have been attempting to make are (1) the machine had better not try to second-guess opaque tokens I send it (although there is apparently a well-defined, standard normalization process laid out in RFC 7613, and the reasoning made sense in the context of the web, so for the web and similar, that point's partially retracted; do the transcoding client-side); (2) even applying a normalization process (PRECIS specifies exactly where to stop, prudently, giving an exact list of the small number of transformations), the more you tack on, the worse the results will be and the more ambiguity you add to a process that already fucks up too often due to the depth of the stack; (3) the more you can pretend you don't know about an opaque token, the happier everyone will be, so take the string of bytes if you can (in the case of a password, it is an opaque stream of bytes: you don't have a reason to process it beyond feeding it to the hash function, and the worst possible consequences of leaving encoding to the client is that you get a false negative and the system remains intact); and finally, (4) the hypothetical scenario where you expect the earth to move under your feet but the password still has to work 200 years later is a perfect illustration of exactly the worst way to go about solving a problem: creating a bad solution now on the grounds that it might have a chance of being durable in circumstances that would render it completely irrelevant to begin with (the saying is "Don't program for nuclear war").

If you have an objection to those points, then there is some substance to the dispute (contrary to expectations, which indicate this is pointless bickering). I don't feel a strong need to convince you. I don't think there's any room to object, but you're free to try and we can keep going indefinitely. I'm not jazzed to continue the proceedings, it's a boring topic¹, but we're here. At this point, if there isn't any agreement on the broader points, I'm inclined to just say, "Okay, do what you want, and let's revisit in 5-10 years."

> I simply said that whatever encoding was used on Unicode passwords before hashing them, it better be documented.

You said³ "an actual database field, that specifies the character encoding one is supposed to use for the passwords before hashing." That's a really terrible idea, but no one is going to object to more documentation: documentation is the reason the Big Rewrite always falls over, the reason high turnover screws an organization. The documentation is always insufficient, outdated, and full of minute detail about irrelevant points while failing to mention important parts.⁴ Nobody is going to object to better documentation (until they have to do it).

> Do you prefer to work with undocumented assumptions in software?

I said exactly the opposite of that. It is a long way from "never document anything" to "tack on a column to list the encoding that was used". (Saying "It feels like you're scrambling to find anything in my post to object to just so you can argue." would be an asshole maneuver.)

My point was adding an encoding column creates a problem. A string of bytes comes in, they're valid UTF-8, but the client says they're Latin-1. So is that [0xc3, 0xa1] in the middle of it a "á", or a "á"? The only way out of that situation is prevention: a database column isn't going to help. You tell the client "Send UTF-8" or "Send 8-bit ASCII" (i.e., define a protocol) and then never change your mind (the point of a protocol is reliable behavior). Once the client has sent their request, you want to second-guess as little as possible (you will guess wrong): make sure it doesn't break your server (and this goes n² if you are passing it to another server). It's better to kick back a request that broke the protocol than to try to fix it, because this will, 100% of the time, well before 200 years have passed, backfire spectacularly.

> OK, and? I was simply describing an API that an RDBMS could offer to make the lives of programmers a little easier.

You've got the password, the hash function is well-defined, don't send the password to the database if you can send the hash.

> you've demonstrated confusion on this matter, starting out by claiming that no processing should be done on a password at all before hashing it, before you discovered RFC 7613.

I read RFC 7613 (and one of the adjacent ones; it's part of a bundle of three or four), and it was sensible. "What if in 200 years I am still typing the same password in UTF-8 but the database is UTF-10 and nobody planned a migration?" was not convincing, but "Identifiers that can vary in content without varying in apparent representation" was. (We're talking edge-cases within edge-cases; it shouldn't surprise either of us if there are facets we haven't considered.)

If I change my mind, and I cite a couple of the reasons, and I point you to the place they came from, I'd call it "learning" rather than "demonstrating confusion". There wouldn't be much point in passing around specs/RFCs/links and reasoning with each other if changing your mind after reading someone else's thoughts is "demonstrating confusion". There's no point in learning if you never change your mind, and no point in conversing if we're not exchanging ideas, some of which we expect to be novel concepts or considerations. Why bother reading what you write if I don't expect you to have something to say that I haven't heard, why bother thinking and typing a response? What are we supposed to do, just smash our heads together until one of us falls over? (That can't be the plan, but if it is the plan, I'll retract my previous remarks about being willing to continue; it may be possible to do webshit with a concussion, but I can't work with a brain injury.⁵)

> it would indeed be a good idea for there to be APIs like pwd_hash()

There's my earlier objection to sending it down the wire twice. Kick back bullshit ASAP (or "fail fast", whichever idiom you prefer) to minimize branches in the main logic (like guard clauses, but communicating with another machine is far beyond a lengthy if/else): you want the happy path to be easier to read, you want error-handling clustered. It prevents bugs and makes debugging easier. Any security engineer will tell you not to let the password past its entry point: a database compromise would have just exposed a million bcrypt()'d passwords, but now the attacker has replaced pwd_hash() with a stored procedure that upserts all of the username/password pairs into a table before the hashing. (You know PostgreSQL lets you namespace objects? Almost nobody uses this feature: if you want isolation and granular permissions, usually you split across databases or write explicit GRANT for the tables. But you can CREATE SCHEMA whatever; SET search_path TO whatever, public; CREATE TABLE whatever.stealinurcreds (user text; pwhash character varying(255); ); and when the DBA does \d, he doesn't see new tables/triggers. Not hidden but very unobtrusive: https://www.postgresql.org/docs/current/ddl-schemas.html .)

Even if I were not a programmer, I have seen enough digial billboards that said "We&x2019;re committed to excellence!" to know that if you have an encoding problem with a piece of data, you don't e-encode the same data and send it out again. Decoding form data is the webserver's jurisdiction; relaying it to the database and increasing the level of coupling for the dubious benefit of making the database handle a problem farther from the source is inviting calamity. (Hope you've sanitized your query log.)

> Congratulations, you correctly understood what I explained and explained it back to me in different words.

Man, you're bitchy. Your post was long, I wrote that as a criticism: it seemed like it'd be obviously wrong to do that if spelled out, then you spelled it out.

> Thanks for admitting that hash functions, like most functions dealing with binary data, operate on bytes, not 32 or 64 bit words, which is exactly why you have to choose a character encoding, which was my whole freaking point above, that you somehow tried to argue against, even though you're now confirming it yourself.

Are we married or something? If I've somehow acquired a contentious wife without noticing, I'd like to know why you haven't cooked breakfast even once.

I have said was that hash functions operate on bytes at least once per post in this cursed thread:

"your hash function—every single hash function available to you—operates on strings of bytes. [⋯] If you receive that string of bytes, take that string of bytes, put it into your hash function, and see what comes out, and if it matches, great." https://fsebugoutzone.org/notice/AhqQp9vLH33yiH2VhQ

"If the server changes anything about how the bytes get into the hash function, the server has fucked up. [⋯] a series of bytes to hash [⋯] bcrypt(20, bytes)" https://fsebugoutzone.org/notice/AhonpzaF77IBYvcJFo

"A hash function operates on strings of bytes." https://fsebugoutzone.org/notice/AhoNUrL1ydll6HlQxs

"It is a bytestring [⋯] hash functions don't care." https://fsebugoutzone.org/notice/AhoMYYNAKgVVU3xau8

Once the user submits the password to you, don't touch it: encoding the input is the client's job.

If they've encoded it wrong, you hash the bytes and compare them against the database (and likely give them a 401; it is worth publishing if you find a collision between a string of bytes and the same string of bytes interpreted as encoding $x and transcoded to $y). If they've encoded it correctly, you hash the bytes. Ganto's axe. Your "if" and "else" have identical bodies.

"But what if we serve them a page that gets us the password in the wrong encoding? Shouldn't we apply heuristics and bgaugh" No.

NO.

No, you should not, unless there's a security audit going on and you have been conscripted by the Red Team to act as a double-agent, or if you are getting paid to carry out industrial espionage. (Or both. You could kill two birds with one stone: introduce a subtle security flaw, and not only do you get some cash under the table, but also a commendation from your corporate overlords for your admirable performance.)

If they send bad data, you have a client bug. If it is webshit and you're serving them the frontend and the frontend is the cause of the bug, then you have an easy solution to a client bug: you fix the client, you don't figure out how to get them authenticated anyway. (If they are using IE6 through a proxy that handles TLS for them in order to talk to your server, then handle that case when it comes up.⁶)

You not only have a client bug, but if they've sent malformed strings, you don't even actually have any assurance that it can be fixed by the time it gets decoded on your end. If Mr. Bühler tries to send Latin-1, by all means, transcode away when you're populating the last_name field, keep bad data out of your database, but if he sends dff6f1e8727a36396c6f6c for his password, don't try to turn that into c39fc3b6c3b1c3a8727a36396c6f6c: just hash dff6f1e8727a36396c6f6c and if he can't log in, fix the HTML you send him.

--

¹ The mechanics of the browser are fiddly bullshit. Unless we are working on a project together and have a problem to solve or I am being paid (and even then, I stick to the backend), I can't think of a reason to discuss the finer points of browser bullshit: the parts that make this profession interesting are few and far between. You get an occasional granule of computer science or math or distributed systems or fun hacks, but it feels more like trying to do tech support for someone that can't hear you because they made these terrible decisions² in 1996 and now we all have to live with it.

² Come to think of it, the web is a lot like working at a shitty company where the wrong people are making the decisions. The decision was made elsewhere by someone that is unaccountable, and you don't have much of a shot at reversing it.

³ The point at which people are arguing about who said what earlier in the thread is generally the point beyond which the thread cannot recover.

⁴ There's a tendency when documenting to write down what you did, and this favors making explicit the parts that the code already made explicit while leaving out the implicit assumptions. It makes me wonder if documentation should be written by the person doing the code review: if the person reading the code actually reads it and can't write documentation after, then that's something to ask the author during the interactive part of the code review, and if code review is a rubber stamp, the documentation will end up worthless. This seems like a process improvement that will backfire because the person that had the idea can't think of any problems, but I can't think of any problems adopting this at least for things like internal and external APIs. "Is this seriously what it's supposed to do?" and "I can't figure out how you're supposed to use this" sure as hell beat the usual superficial "LGTM" and "Do you think there should be more tests for this?" or "I really would have named this differently".

⁵ This is a joke.

⁶ The form already gets decoded somewhere and the values handed over to you, so you just wrap it. password = fetch_form_data("password") turns into password = ie6botch(client_user_agent, fetch_form_data("password")), and ie6botch(ua,pw) starts is something like if(!detect_ie6(ua)) return pw; return some_transformation(pw);.

p, 4 days ago

@taylan @Suiseiseki @romin @sun

> [Wants to argue about some shit that I have repeatedly said I don't care about]
> [Thread continues for three days]
> "MAN I TOUCHED GRASS I AIN'T EVEN GOT TIME"

Okay.
lincoln-internet.gif

p, 3 days ago

@taylan @Suiseiseki @romin @sun

> [keeps sending messages about shit I don't care about]
> "WHAT IF UTF-10 IN 200 YEARS"
> "CHANGING YOUR MIND IS DEMONSTRATING CONFUSION"
> "NOT CHANGING YOUR MIND IS ALSO BAD"
> "YOU WROTE TOO MANY"
> [Declares victory and retreats]

For all I know, you actually did read it and have no clue how to reply.

The problem is you are doing a stupid internet argument and I am not. I'm fairly certain you've been away from Twitter long enough to be cured of this (or maybe it's terminal: https://blog.freespeechextremist.com/blog/on-human-bots.html ), so I don't know, but there's going to be a mismatch while you're trying to "win" a fight that isn't happening and I'm just talking.
thuglife.jpg

p, 3 days ago

@0 @taylan @Suiseiseki @romin @sun

> How's that grass touching going?

Actually, he posted about howw it's going:
this_guy_is_gonna_end_up_in_the_news.png

p, 3 days ago

@amerika @taylan @Suiseiseki @romin I've talked to this guy before; it's a pattern, he just shows up in a random thread to antagonize people.

p, 2 days ago

@0 @Suiseiseki @amerika @romin @taylan Unlike the self-made admins, he was appointed his instance by the Mandate of Heaven (天命).

p, 2 days ago

@0 @Suiseiseki @amerika @romin @taylan :terrylol2:

He started another thread and tagged me again because his life won't be complete until he conveys how his morning went:

> chat with my gf, go to sleep, wake up, exchange more loving messages with her, take a shower, cuddle my cat,

:supremegentleman:

Anyway, I put the bot to him. It was nice to have the bot just off.
captcha.png

p, 2 days ago

@0 @ins0mniak @Suiseiseki @amerika @romin @taylan
socjuswiz_has_a_grievance.png

p, 1 day ago

@amerika @0 @Suiseiseki @ins0mniak @romin @taylan You'll have to ask him, I didn't inquire about his ancestry, I just told him he's gonna need to have a sandwich to keep up.

p, 1 day ago

@amerika @0 @Suiseiseki @ins0mniak @romin @taylan Most food is made for kids, and people that are tired, often people that are tired and have kids. Children don't have very discerning palates, and exhausted people (especially exhausted people with hungry kids) do not usually care much.

p, 1 day ago

@graf @amerika @Suiseiseki @0 @ins0mniak @taylan @romin See, that sounds like a decent thing to eat. I don't think anyone gets Mickey D's unless they are exhausted, though.
ronald_mcgangsta.jpg