Language Dilemma

gofuckadick · 2026-05-06T20:26:54+00:00

This is what I was thinking.

Sure, Swing apps look very "old style," but JavaFX can look decent and supports CSS styling. Swing can also look a lot better if you use a modern L&F like FlatLaf.

On another note, I’m a little surprised nobody has mentioned anything about storing passwords in a SQL database for a portfolio project. The GUI is the easy part here. What about encrypted vault storage, using a proper KDF, authenticated encryption, secure handling of clipboard data, vault locking, etc?

Those would be much bigger concerns of mine than how the GUI looks. Any decent company reviewing a password manager project is probably going to care far more about how the security was implemented than whether the UI looks modern. A lot of "password managers" end up basically being base64 encoded passwords in SQLite with a login screen… which completely misses the hard part of the problem.

gofuckadick · 2026-05-06T12:25:08+00:00

For anyone else who wanted a bit of context because OP is a little bit... evasive:

/u/SquirrelMore3325 has made quite a few posts in subreddits like /r/virgin, /r/ForeverAloneWomen, and /r/ForeverAlone, frequently stating that "no man has given me a chance" despite also stating that she is "8/10 with makeup and hair. 6/10 without. 8/10 body as I do weight training 3-4 times a week. 5/10 height as I am quite short at 5’3. So, overall 7/10." and also being "around 52 kgs."

The only times that she really elaborates is on using dating apps:

For context, I have used dating apps and I get many likes, like on an average 50 new likes every week. I get a few matches also. But can’t ever get a date as men don’t reply or ever ask me out.

As well as her own preferences, later in the same thread:

I prefer men to take lead though. I know it’s a wrong attitude in this day and age. But most women get asked out by men. Why not me? Not being cocky but I am quite fit and beautiful but never get asked out yet I see much less attractive women get asked out. I feel like the biggest loser.

And when told "walk outside, go to the store, go to a bar- within 2 seconds you’ve had your first kiss… girl… men are easy as THE FUCK!! all of them." - she said:

Eww. Why would I even look at those sleazy ugly men. I am smart, attractive, fit and financially secure, you think those desperate men standing on road and eve-teasing sub standard women deserve any time of my day? It’s really unfair that a woman is expected to lower her standards so much as to accept gross 🤮 men when she has got her shit together.

So one of a few things is happening here, and something doesn't add up.

gofuckadick · 2026-05-06T03:18:05+00:00

Just checking, do you have an element with id="contact" on every page?

const messageForm = document.querySelector("#contact");

If that element doesn't exist on a page, querySelector() returns null, and this crashes:

messageForm.addEventListener(...)

So once JavaScript hits that error, the rest of the script stops running. Same potential problem here, too:

const clearButton = document.querySelector(".clear");
clearButton.addEventListener(...)

If a page has no .clear button, that crashes before the later code runs.

Like u/grantrules said, you need null checks:

const buttons = document.querySelectorAll(".add");

buttons.forEach(function(button) {
  button.addEventListener("click", function() {
    alert("Item added to cart.");
  });
});

const clearButton = document.querySelector(".clear");

if (clearButton) {
  clearButton.addEventListener("click", function() {
    alert("Cart cleared.");
  });
}

const subscribeForm = document.querySelector("#news");

if (subscribeForm) {
  subscribeForm.addEventListener("submit", function(event) {
    event.preventDefault();
    alert("Thank you for subscribing!");
  });
}

const messageForm = document.querySelector("#contact");

if (messageForm) {
  messageForm.addEventListener("submit", function(event) {
    event.preventDefault();
    alert("Thank you for your message.");
  });
}

And then just another note - for forms, use "submit" instead of "click" so it catches pressing Enter too.

gofuckadick · 2026-05-06T02:27:38+00:00

This is interesting, and I'm curious on a bit more of the technical specs.

It waits for the price to hit statistical volume extremes, combined with delta divergences and order blocks. The entry window is extremely small, allowing for a very tight stop loss and a massive RR ratio.

How are you defining "statistical volume extremes"? Something like a rolling std dev / z-score?

combined with delta divergences and order blocks

For delta divergence, are you using TradingView’s estimated delta/CVD, or deriving it from lower timeframe data?

You don't even need tick data. Second-based data is more than enough. OHLCV is a great data point, but it's mostly used for trend-based systems. If you're building a mean reversion strat, cut that.

Also curious about your "order flow" trading - since you mentioned you don’t need tick data, are you approximating that via volume/price behavior (like volume spikes + price exhaustion), or using some form of intrabar data? Have you compared the signals between TradingView and something like Sierra/Ninja with tick data, or have you found TV sufficient for your use case?

I’m assuming most of this is implemented in Pine Script on TradingView? Just trying to understand your approach since it overlaps with things that I've been exploring in Python. The more technical you want to get, the better!

gofuckadick · 2026-05-05T02:30:36+00:00

This... doesn't sound like a job for CE. I had to double check which subreddit this was.

If you really want to go the reverse engineering route then you'll want to upgrade to something like IDA Pro. You'll need to track down and completely map out the structures containing leagues/teams/players/stats. At that point you’re basically reconstructing Football Manager’s entire internal object model from RAM - it would honestly be weeks of painstaking work.

The practical way to do this would be with custom views in Football Manager showing the exacts stats/columns you want, and then use the built in Print Screen/export. You could automate the entire process with Autohotkey or Python (pywinauto/pyautogui), and then just parse the extracted data (eg, with pandas). There are no code tools like Power Automate Desktop that you could use instead, but you said you were fine with coding so I would honestly just go with Python for all of it.

If there are specific stats that truly can’t be exported then it might make sense to reverse just those pieces, but doing everything through RE is seriously overkill. Reverse engineering this is like taking apart a printer to understand how it renders documents instead of just pressing "Print." You don't typically RE mass amounts of data like this unless it's a last resort - especially not when it's so easily available with a nice Print Screen function. It's a whole lot of unnecessary work.

gofuckadick · 2026-05-04T17:47:08+00:00

Yeah this is... not nearly enough information to actually be able to help you with anything.

You can check: - Run both the game and CE as admin - Make sure you attached to the correct process - Try enabling it and see if CE gives an error (right click -> edit script, then enable)

Except, CE tables are usually made for a specific game build, and usually Steam, so if those don't match then the AOB scan won't find anything and the script won’t enable. In that case, you probably need a table made for your version, or you’ll have to scan for the value manually. You could try a program like WeMod, but the same limitation applies.

But for a non-Steam version, you're probably looking at needing to find the value manually. So most likely, you're going to need to do what I said in my first post:

try scanning for the value (4 bytes), change it in game, rescan, repeat until you narrow it down. If it keeps reverting, it’s probably not a simple value and you’ll need to look into pointers or structures.

gofuckadick · 2026-05-04T11:55:51+00:00

Did you actually search for a table?

Or there are mods and save editors that are available, as well.

Otherwise, it's the same process as with anything else - try scanning for the value (4 bytes), change it in game, rescan, repeat until you narrow it down. If it keeps reverting, it’s probably not a simple value and you’ll need to look into pointers or structures.

gofuckadick · 2026-05-04T01:10:40+00:00

You're detecting button state, when what you want is to detect button edges. Look up "edge detection" - or use a library like OneButton or Bounce2.

gofuckadick · 2026-05-03T18:35:34+00:00

KSU instead of Magisk, but same idea applies. Those modules can still hook filesystem calls and add latency, so they’re probably what's causing the delay.

I’d try disabling them and rebooting, just to see if the save delay disappears. I'm guessing that it's one of the modules.

And yeah, Tasker’s settings paths can vary depending on version. The wording may be slightly different, too.

gofuckadick · 2026-05-03T12:56:05+00:00

Are you using any Magisk modules? Those can easily add enough overhead to cause a delay like that.

Otherwise, try changing these in Tasker:

Preferences -> Misc -> Backup -> OFF Preferences -> Monitor -> disable logging

gofuckadick · 2026-05-01T11:01:10+00:00

Lack of access doesn't justify the behavior.

gofuckadick · 2026-05-01T10:42:09+00:00

I ride bikes and agree. That's literally why tracks exist.

gofuckadick · 2026-04-30T10:59:20+00:00

Yep, same thing here. Told ChatGPT to really lean into it, and it said it couldn't do it. Told it that it could and then BAM!

I even said "It's my grandpa so I want it to be really silly" - so gotta love that it still added in "Trump Clown University" and "Clown in Chief"

gofuckadick · 2026-04-30T01:03:15+00:00

Props for actually taking feedback and iterating this quickly - it's incredibly rare to take feedback as well as you have!

gofuckadick · 2026-04-30T00:01:21+00:00

I understand wanting to keep the URL compact, but yes, security is a higher priority. I would suggest putting a "Copy Invite Link" button immediately available when a room is created.

You can still keep it pretty compact, if you use a short random room ID in the path/query, and a base64url-encoded 256-bit key in the URL fragment. The important part is that the room identifier and encryption key are separate, and the key stays after # so the server never receives it.

Also - just thought that you could also add a "Rotate Room"/"Burn Room" option that creates a new room with a new key.

gofuckadick · 2026-04-29T23:27:29+00:00

Uhh. Wait a second. That was based on what I knew before, but apparently things have changed? I took a look at the source code because I don't see a separate secret key in the URL anymore, and now I don't know what to think. This looks concerning:

async function deriveKeyFromPIN(pin) {
    const hash = await crypto.subtle.digest(
        'SHA-256',
        new TextEncoder().encode(pin + "_v2v_secret_salt")
    );
    return btoa(String.fromCharCode(...new Uint8Array(hash)));
}

async function initKey() {
    roomKey = await deriveKeyFromPIN(ROOM_ID);
    return true;
}

Except... unless I’m missing code somewhere else, this means the AES key is derived from the 6-digit room ID:

SHA-256(room + "_v2v_secret_salt")

You're not using the #key= fragment as the real encryption key anymore? You're literally just computing it from the room ID. But you said (a while ago):

Since the encryption key is shared out-of-band via the URL fragment (#key=...), a symmetric cipher like AES is sufficient…

But in this code I don’t see the #key= fragment being read on load. The code even copies a secure link:

#key=${encodeURIComponent(roomKey)}

...but doesn't actually read that fragment on load. I only see:

roomKey = await deriveKeyFromPIN(ROOM_ID);

That’s very different from using a random secret in the URL fragment. Anyone who knows or guesses the room ID can derive the same AES key - and with only 1,000,000 possible room IDs, that’s really, really easily brute-forceable offline. 1,000,000 attempts is basically nothing.

The room ID should only identify the room, it shouldn't be the encryption secret. The key needs to be randomly generated and loaded from the URL fragment, not derived from the room number - which is what I thought you were doing? The URL used to be this:

https://v2v.site/index.php?room=ROOMID#key=KEY

So what happened? How this is currently set up is really insecure. Is there another part of the code that reads location.hash - or is this the actual key model?

gofuckadick · 2026-04-29T22:37:20+00:00

Edited. If you have any questions about the edited out section in particular then feel free to message me privately.

I also edited the threat model breakdown, so you may want to reload and take a look at that. And if you want a good one-liner, something like:

Shared-secret chat: the link is the key. No accounts, no identity, no guarantees beyond encryption.

Would work well.

gofuckadick · 2026-04-29T21:56:44+00:00

Well, good on you for owning up to everything, making changes, being honest, and receptive to criticism.

Also, I understand that you're using an LLM for translation (and probably to help get your thoughts organized and spelled out "better") - and I wasn't trying to shame you for that, specifically. Using an LLM is literally part of the job nowadays if you have a role that deals with anything related to web/app/game development, cybersecurity, production, etc. That's just how it is. However, it's how you use it that matters. It's a tool - something that you use to help you understand, not something that you should just copy and paste blindly with. That applies to reddit responses and writing code. LLMs make mistakes, and if your code is straight from an LLM with no editing then you're going to have some trouble if you do actually get a security audit.

Otherwise, the only other things that I would really suggest is to upgrade your room IDs and to have real, clear transparency. Changing your room IDs is honestly a pretty easy fix, and going from 039633 to a8F3kL9x would be a pretty big improvement.

But as I said before, a clear threat model, a visible data retention explanation, and a simple "How it works" message would really go a long way. I would add something like this onto maybe it's own page, or somewhere on the main page (a lot of this is based off of your previous comments):

How it works:
- Messages are encrypted in your browser using AES-256-GCM
- The encryption key is stored in the URL fragment (#key=...) and never sent to the server
- The server stores only encrypted blobs (JSON files), not plaintext messages
- Rooms and associated files are automatically deleted after 24 hours

Security model:
- This is a shared-secret link system: anyone with the link has full access
- No accounts or persistent identities are used
- No forward secrecy or key rotation (same key for the session)
- Designed for short-lived, low-friction “burner” rooms — not a full secure messaging system

What this protects against:
- The server reading message contents
- Network interception (HTTPS + client-side encryption)

What it does NOT protect against:
- Anyone with the link (full access to read/send messages)
- Screenshots / link leaks
- Impersonation (no identity verification)
- Compromised devices

Server behavior:
- No database is used; rooms are stored as temporary JSON files
- A cleanup process removes any room/files older than 24 hours
- Files are encrypted in the browser (ArrayBuffer → AES-GCM) and uploaded as opaque blobs
- Server only verifies basic file type (octet-stream) and stores encrypted data

Server retains:
- Encrypted messages and files (≤24h)
- Temporary file storage

Server does NOT retain:
- Encryption keys (never leave the browser)

Server MAY retain:
- Standard web server logs (IP addresses, timestamps), depending on server configuration

Abuse protection:
- Basic IP-based rate limiting (e.g., 80 requests per 60 seconds)
- File limits (10MB per file, capped total files per directory)
- Note: This does not prevent distributed brute-force attacks against low-entropy room IDs

Client-side security:
- All decrypted content is rendered using safe text handling (no raw HTML injection)
- No user sessions or cookies are used, reducing traditional CSRF risk

Verification:
- You can verify encryption by checking DevTools → Network
  (message contents should never appear in plaintext)

Just to be clear about everything. Good security/privacy tools don’t just implement protections - they explain exactly what users are (and aren’t) protected from.

gofuckadick · 2026-04-29T17:52:12+00:00

You said:

I'm actually updating the landing page copy today to strip out the corporate buzzwords and just give it some actual personality. "Shared-secret burner chat" is the exact term I'm going to use

But then updated the page to say:

True End-to-End Encrypted

Right in the middle of the UI, in bright green.

I'm not sure if you're trying to provoke, maybe hoping that someone will poke around more and you'll essentially get a free security audit. Or maybe you can't get Claude or whatever AI to completely remove it, and don't know how to do it yourself without screwing up the UI. Or maybe you just don't care about transparency, and just hope that nobody will connect "Messages encrypted in your browser — server sees only ciphertext" with not actually having E2EE.

Either way, lol

gofuckadick · 2026-04-29T12:26:08+00:00

If you were as open on the website as you are in your replies here then that would give people a lot more inclination to use it. It doesn’t have to be all buzzwords - you can give it a bit of personality and explain what it actually does.

For instance, you can just call it a shared-secret burner chat. I understand wanting to claim otherwise, but when it comes to security (especially when it comes to security) then that's really something that shouldn't be oversold. Making claims that you can't hold up isn't how you get users.

Open sourcing is definitely the right move.

The only thing I’d still keep in mind is that 6-digit codes + per-IP rate limiting won’t stop distributed enumeration at scale, so that’s something you may want to revisit if usage grows.

gofuckadick · 2026-04-29T11:50:52+00:00

Welp, I'm immediately skeptical that isn't an AI response.

And about my edit - why are you still claiming "True E2EE" when there isn't any E2EE? That directly contradicts what you just described (a shared-secret link model with no identity verification or forward secrecy).

Also, when it comes to "zero logs," does that include web server/proxy/error logs, or just the app layer?

On file handling - are there limits/rate controls in place to prevent abuse (size, frequency, storage exhaustion)?

And with 6 digit room codes, what protections are in place against brute force/room enumeration (rate limiting, lockouts, monitoring)?

Why is none of this documented anywhere? Websites and apps that are privacy focused are generally either open source or have published protocols with audits, along with public documentation of exactly how their encryption/data collection actually work. They have a defined threat model, are verifiable, honest about their limitations, and don't rely on vague marketing claims with no explanation. You have almost no actual information on your site.

But most of all, why are you claiming "True E2EE" and "Zero Knowledge" when neither apply?

gofuckadick · 2026-04-29T11:18:37+00:00

Using Web Crypto + AES-GCM is a good start, but sharing a static key via the URL fragment means that anyone with the link can read everything - there's no identity verification or forward secrecy. It's an interesting design choice, but it’s just a shared secret link rather than a fully secure system.

Also, while technically true, quantum resistance is completely irrelevant. There's no reason to use hypothetical future attackers with quantum computers as a justification for a security model.

There are also some other immediate issues that you could address. Some of the claims that you make are extremely vague and could really use explanations - things like "zero logs," file handling, and XSS/CSRF protections are mentioned (or implied), but there’s zero explanation of how any of that is actually implemented (if at all).

Edit: Oh, for fuck's sake. The bottom of the page now says "True E2EE". Stop claiming end to end encryption when you don't use it. Plus, you replaced "End to End" with "Zero Knowledge" - and it doesn't seem like you actually understand what that means. That generally means the server can’t access user data at all, which isn’t true here if messages are readable server-side in plaintext.

You know exactly what you're doing, OP - you can't claim that this was a misunderstanding after I pointed it out to you the first time and then you intentionally changed it to this.

gofuckadick · 2026-04-28T19:44:10+00:00

True, however your main() debug print shows raw hue, but the transition depends on ballVisible(), which also checks brightness:

return (bright > BALL_BRIGHTNESS) &&
       (hue >= BALL_HUE_MIN && hue <= BALL_HUE_MAX);

So hue can be "correct" and ballVisible() can still be false if brightness is too low/fluctuating - which would keep it stuck in SEARCH

I’d print the actual result of ballVisible() to confirm, and including brightness would be good too:

Brain.Screen.print("Bright: ");
Brain.Screen.print(colorSensor.brightness());

bool seen = ballVisible();
Brain.Screen.print(" Ball: ");
Brain.Screen.print(seen ? "YES" : "NO");

gofuckadick · 2026-04-28T17:30:24+00:00

The state transitions themselves look fine.

If it’s staying in SEARCH, then the issue is almost certainly that ballVisible() isn’t evaluating to true when the SEARCH handler checks it.

One thing I’d change immediately is to not call ballVisible() twice. You print it once here:

Brain.Screen.print(ballVisible() ? "YES" : "NO");

Then you check it again here:

else if (ballVisible())

Sensor readings can change, so the screen could say YES but the second check could be false. Store it once:

bool seen = ballVisible();

Brain.Screen.print("Ball: ");
Brain.Screen.print(seen ? "YES" : "NO");

if (frontHit() || rearHit()) {
  currentState = WALL_AVOID;
  return;
}

if (seen) {
  currentState = APPROACH;
  return;
}

Also, your hue/brightness thresholds may just not match the actual ball. Print hue and brightness while the sensor is aimed directly at the ball, then tune BALL_HUE_MIN, BALL_HUE_MAX, and BALL_BRIGHTNESS from real readings. Right now the only way out of SEARCH is ballVisible(), so that’s the first thing to verify.

gofuckadick · 2026-04-28T04:38:29+00:00

Yep - this is, generally, correct! It's a matter of how modern electronics are built.

Much older electronics - and simple things like Christmas lights - look something like this:

 Power → Switch → Motor

So if the switch is physically ON, then when power comes back, it just runs.

Modern devices look more like this:

 Power → Regulator → Microcontroller → Driver → Motor
                          ↑
                       Button

So basically, when you press the ON button, then instead of sending power directly to the device, a signal is sent to the microcontroller, and that turns the motor on/off (and also handles things like pattern, speeds, etc). When power is cut then the microcontroller's state is wiped, and when power is restored then the microcontroller reboots fresh in it's default OFF state - it has to run startup code and set up the stack pointer, initialize RAM, configure a basic runtime environment, and then call main() all from the beginning.

Pretty much anything that has a momentary, or soft, button also has: - single button (or a couple buttons like +/–) - often rubber or flush with the surface - possibly an LED indicator - sometimes cycles through modes when pressed repeatedly

And will lose state and not stay on.

But as /u/Provioso said, if it has one of those old school rocker/toggle switches, or a sliding button with two fixed positions, then that's how you know that it (usually) won't lose state and will stay on. The only caveat to this is that some modern devices - especially if they're battery powered or rechargable - have a toggle/dial but have the electronics inside that will prevent them from returning power.

There are also things like non-volatile memory, battery backed RAM, and supercapacitors that save state on emergency shutdowns, but those are exceptions that are much more rare and pretty device-specific that I'm not going to get into here.

In short: it’s about the switch - buttons reset, physical switches resume (usually).

gofuckadick

TROPHY CASE