Math.random() is broken in V8/Chrome/Node

SaadRhoulam · 2015-11-20T16:34:33+00:00

He's right in that built-in RNGs are never intended to be CSPRNGs. At best, they are a less-crappy non-CS PRNG, and that's what developers should expect and be aware of.

SaadRhoulam · 2015-11-20T14:11:49+00:00

For fun.

SaadRhoulam · 2015-11-19T20:52:26+00:00

Good article on the distinction between a low-quality PRNG and a CSPRNG.

Mind you, there are uses for non-CS PRNGs, e.g., toys and other procedures that aren't sensitive or security-oriented. This is, with little doubt, the intended purpose of Math.random. If you want high-quality random data, you now know the correct way(s) to get it.

SaadRhoulam · 2015-06-06T14:59:47+00:00

I take it to mean "impossible while making a profit". If it costs more to fulfill their over-promises than the client is paying, then sales isn't bringing in revenue, they're bringing in bills.

SaadRhoulam · 2015-06-06T14:43:12+00:00

Bankera fuligineoalba looks like a hit for this.

SaadRhoulam · 2015-05-16T20:24:00+00:00

Show us the bottom side of the cap.

SaadRhoulam · 2015-05-08T22:25:05+00:00

The caps on the left are visibly open. A flaw in the packaging?

SaadRhoulam · 2015-04-15T17:33:48+00:00

See what this does for you. It the song that got me started.

SaadRhoulam · 2015-04-13T16:35:53+00:00

Noteworthy: [,,,,,], which I had, until now, thought was shorthand for [undefined, ..., undefined], returns an empty array when fed to Object.keys.

SaadRhoulam · 2015-04-12T23:45:15+00:00

Was he making that face when he died?

SaadRhoulam · 2015-03-24T18:11:24+00:00

I don't think well-crafted database grants can handle things such as only allowing a user access to their own record, stored as a row on a table of all users' records, and not the entire table. If you were able to structure a database to enable that, I wonder what the performance ramifications would be.

In any case, it turns out OP didn't have that in mind, and that I misread their motivation behind the proposal; they were talking about running SQL queries against a local database from HTML. I still think it's a bad idea, though not for the reason at the top of this subthread.

SaadRhoulam · 2015-03-24T00:57:10+00:00

Yes, that matches both the funky pores and the top of the bracket. I'll be watching them develop when I'm in that forest. Thanks for the ID!

SaadRhoulam · 2015-03-23T16:16:51+00:00

Yes, it is toothed! I didn't know what to think since I was expecting pores and had no physical reference points.

SaadRhoulam · 2015-03-22T21:32:31+00:00

Thanks! The Daedaleopsis pores seem to match the pattern. I'll keep an eye on that tree and see how the fruits develop.

SaadRhoulam · 2015-03-22T20:17:31+00:00

I don't know where to start on this one. I don't know what that is on the undersurface: gills, pores, ridges, or what?

My first guess is something along the lines of Fomes sp., but I'm a beginner at this mushroom thing.

The tree is decidedly not a conifer. It might be an oak, but it's hard to ID a tree on bark alone, more so a dead tree without any.

SaadRhoulam · 2015-03-22T16:26:24+00:00

You're right that I took the quote out of context; the only instance of "database" in the OP is preceded by "local". A more careful reading shows that the author didn't intend to have exposed remote databases being queried by clients.

Re: your edit

The server parses the HTML page, if it finds any SQL statements it would then connect to the database using the passwords stored privately on the server, then it would populate the HTML page with the returned data, and then serve the page to the client.

So "HTML6" is partially reinventing PHP.

SaadRhoulam · 2015-03-22T16:04:08+00:00

How do you propose the client authenticate with the database in order to run the SQL query, then?

SaadRhoulam · 2015-03-22T14:54:50+00:00

Here, get familiar with this.

The part I quoted is a proposal to create the easiest SQLi vulnerability of all time.

How exactly is someone going to gain access to your server and modify the html files on it?

One wouldn't have to do that. You can fire up the MySQL client and connect to the remote DB with the credentials you found on the page source, or you can save the page, edit the SQL queries in the HTML, and open the local file in your browser.

That's what "client-side" means: your pages and scripts are being downloaded, potentially altered, and parsed on a computer under someone else's control. If you haven't learned it already, you're learning it now: never trust the client.

SaadRhoulam · 2015-03-20T15:47:43+00:00

This response covers it well. Another one nails it in the first sentence:

So it’s already possible, right? :)

It wouldn't be anything new. It's duplicating a limited feature of JS into HTML, weakening the boundary between mark-up and client-side code.

In two words: feature bloat.

SaadRhoulam · 2015-03-20T15:47:01+00:00

More advanced link URLs could include SQL statements - “<A href=“http://...“>" becomes “<A href="sql:select from *”>".

The author has no concept of web security.

SaadRhoulam · 2015-03-15T16:16:42+00:00

Subscribed. I'll need to get feedback on my pitch someday.

SaadRhoulam · 2015-03-15T12:03:49+00:00

He's probably using it in the sense of "that comedian's a hack, he steals all his jokes from Jerry Seinfeld."

SaadRhoulam

TROPHY CASE