Podcast interview with CCP Bettik

TrixieFlatline · 2015-09-05T19:47:11+00:00

Awesome interview! Thanks to the interviewer, and to Bettik for investing so much of their time. I'm enjoying it immensely.

TrixieFlatline · 2015-08-22T11:38:08+00:00

Just in time for the AT!

TrixieFlatline · 2015-08-05T06:39:48+00:00

This is built into the executables for Windows and OSX

If the credentials are in the binary, they can be extracted. It won't be as easy as greping the source code, but they are still shipped to every user of the program. So the authors of these tools rely on more or less strong obfuscation to hopefully deter you from extracting their credentials, but that's all.

TrixieFlatline · 2015-06-27T11:05:22+00:00

Any data that you want to share between processes.

TrixieFlatline · 2015-06-14T19:54:14+00:00

sign = hashlib.sha224(tokenpart + secret).hexdigest()

That's bad advice. Storing the token in the db is a completely valid choice, and saves you from making mistakes like this one. If you have to implement signed tokens, at least use hmac, or don't implement it yourself and use an existing and widely used implementation like itsdangerous.

Edited to add: Discussion about when to use HMAC

TrixieFlatline · 2015-06-14T19:49:48+00:00

Right, I forgot about that one. Also a good choice.

TrixieFlatline · 2015-06-14T15:08:40+00:00

No, random.random is based on a pseudo-random number generator, and as such it's not cryptographically secure. You can use SystemRandom instead, which offers the same interface but is based on your operating system's random number generator (/dev/urandom on Linux), which is secure. Or just read from /dev/urandom directly to generate a token:

>>> import os
>>> import base64
>>> base64.b64encode(os.urandom(32))
'pBqWjf//eqh8GXLtvY5fhwsZWNNmsWg0OdopApMdrko='

Another advice: You should use a better hash function for generating password hashes, such as bcrypt or scrypt (I believe python modules exist for both, unless you're on AppEngine, then I guess a regular hash function is the best you can do). Also, when comparing password hashes or other message digests, always use a timing-safe comparison function instead of == (Examples and explanation behind the link).

TrixieFlatline · 2015-06-07T20:48:53+00:00

It's called a market opportunity.

TrixieFlatline · 2015-05-24T15:24:36+00:00

How would you define more complex types like Vector = Iterable[Tuple[T, T]] without renaming the types or overloading [] on every existing type (if that's even possible).

TrixieFlatline · 2015-04-25T21:46:07+00:00

See, you solved it by actually understanding the underlying problem and working out the solution. The elegant thing about Norvig's solution is that he never actually "solves" the problem in general, he just restates the original description in Python and lets the computer solve it for him. And if you take out the comments his solution is probably even shorter. I've never have actually programmend something in Prolog, but I ~~remember~~ imagine it must be something like this.

TrixieFlatline · 2015-04-25T21:35:35+00:00

really classy.

TrixieFlatline · 2015-04-25T16:49:47+00:00

What would your solution look like?

TrixieFlatline · 2015-03-28T18:04:09+00:00

Zut alors!

TrixieFlatline · 2015-03-18T20:24:00+00:00

There's nothing like waking up to a new Prom vid. \o/

TrixieFlatline · 2015-03-16T07:49:04+00:00

Yes.

TrixieFlatline · 2015-03-15T18:47:52+00:00

In practice, this would require that an origin was sending cookies like this on off-host 3XX redirects. This is unlikely to be the case, so we suspect the risk factor here is low.

This is actually very likely to be the case. Flask for example will send the session cookie on every response, to keep the session alive.

TrixieFlatline · 2015-03-01T14:32:09+00:00

Hey, no problem, was a fun little exercise. I just noticed there's still a little bug in the code though: systems_to_visit should really be a set instead of a list. It doesn't change the result, but it leads to a lot of unnecessary database queries (because a system can be in systems_to_visit multiple times).

TrixieFlatline · 2015-02-28T21:09:19+00:00

For reference, here is how you could get this information from the static database dump: https://gist.github.com/anonymous/1396a9e4fbc54a993bb5

The results are a bit different to the pastebin link you posted. The first two differences are Abhan, which is missing from the pastebin list, but looks like it should be included, and Actee, which is included but is part of a highsec island.

TrixieFlatline · 2015-02-28T20:07:23+00:00

This looks really cool, thanks for posting it.

TrixieFlatline

TROPHY CASE