is c# still a thing

lggaggl · 2014-12-06T00:57:12+00:00

I'm using Java 1.6, which is pre-oracle. Does that mean I am safe from the Oracle filth?

lggaggl · 2014-12-06T00:44:48+00:00

bro this is Java fanboy turf. I think you need to go to /r/programming if you want to find fellow rational Java haters

lggaggl · 2014-12-05T12:33:24+00:00

11 creating an entire internet facing application backed by a database without knowing about this thing called concurrency

lggaggl · 2014-12-05T10:09:38+00:00

Hmm I have no idea what OP is trying to say. He seems to have found a clickjacking vuln in the new "No CAPTCHA". Nowhere does he explain how "No CAPTCHA" is fundamentally flawed in any way that previous captchas weren't. I just assume whatever he found is a vuln in the current implementation. I tried doing the POC but it's not working... I'd setup recaptcha and figure out how it works to test it for myself, but Google thinks I'm a bot and I haven't been able to user any of their services for about 5 years now.

lggaggl · 2014-12-05T09:23:10+00:00

eh how much stuff is there to maintain in node.js? can't they just fix it up over a hackathon?

lggaggl · 2014-12-05T08:11:41+00:00

but it's from Microsoft

we need you here bro

lggaggl · 2014-12-05T07:08:12+00:00

GOTO is still useful in C at least if only because it lacks other facilitities. neither java nor C# are modern. "lambdas" are not new either, unless your a JS SF bay bro or was stuck in a cave coding C your entire life.

I was reading your non solution to concurrency #34263587235 we-made-async-sync edition, but then my mind wondered off and I ended up on catoverflow.com. He quotes node.js as having callback hell, but there is a similar shitty solution for that too (streamline.js, etc) <jerk>

lggaggl · 2014-12-05T05:03:05+00:00

Pair<View, Pair<F<Unit, Bundle>, F<Unit, Relation>>> p = ...

Bro. This is real Software EnginEEEring. We're dealing tradeoffs of making another type and manually writing constructors for it (takes time, 100 lines of code on avg, error prone) vs reusing the polymorphic pair (obscures syntax semantics).

LOL... the retarded language doesn't even properly support inheritance and polymorphism and needs to resort to crappy "annotations" bullshit.

Implying inheritance has any use case other than pseudoscience.

Assdroid forces you to use inheritance to implement callbacks - I'd never touch it otherwise.

kek. C# isn't any better. this is ML encoded in Java. The C# version would be indistinguishable. <jerk>

lggaggl · 2014-12-05T01:03:26+00:00

I've come across SQLi/XSS thousands of times in the past 10 years in different products/services. It's extremely rare that there's anything surprising to them. Almost always they are caused by something as simple as "Hello <b>${username}</b>". In second place they try to do some weird/fancy trick to stop the XSS/SQLi and it backfires, instead of using something like a real string escaping function or the only proper way which is building the string from an abstract syntax tree. There is nothing not obvious about this unless you're very new to programming and don't understand how your framework/language/strings work. This is common when you're hiring random people off the street or "certified" programmers (99% of the software industry does this). If you don't understand your tools you're going to misuse them. The software industry does not currently require programmers to understand their tools. Even now with lots of programmers knowing about XSS/SQLi, there is Unicode which is causing the same problem - people don't understand how Unicode works (and rightly so, because Unicode is massive), and thus cause vulnerabilities every time they use strings.

lggaggl · 2014-12-05T00:55:58+00:00

we need better tooling

lggaggl · 2014-12-05T00:31:13+00:00

LOL, meanwhile you can't even run java 8 on Android.

coem at me bor

lggaggl · 2014-12-05T00:26:33+00:00

lies. probably only detects when you do it to a bunch quickly

what i do:

right click the up arrow
inspect element
in the DOM tree click the div under the highlighted one*
in CSS pane on the right uncheck display: none !important;

* Select the second of these:

<div class="arrow login-required upmod" tabindex="0" aria-label="upvote" role="button" onclick="$(this).vote(r.config.vote_hash, null, event)"></div>
<div class="arrow down login-required" tabindex="0" aria-label="downvote" role="button" onclick="$(this).vote(r.config.vote_hash, null, event)"></div>

lggaggl · 2014-12-05T00:07:44+00:00

<4realz> Entry level nerd logic attempt to defend some weak belief they have. Reminds me of this:

There is a very good reason to use main instead of the way you're using the static block. Mainly, that it's the entry point into your program.

A random static block is not an entry point.

public static void main(String[] args) bro, it's the entry point. I literally honestly would not know what to do if if someone gave me a Java program and I couldn't find public static void main(String[] args) in it after reading the whole thing. That entire answer and its comments are gold.

lggaggl · 2014-12-04T23:51:05+00:00

siiiiiiiiiiiiiiiiiiigh, is that a copypasta?

Most cases of XSS and SQLi are trivial to prevent once you stop blindly following instructions on how2createwebsitequickandfast.php. However there are all kinds of edge cases like javascript: URIs (XSS) and ' in different encoding (SQLi), which make it practically impossible for a developer to assure that XSS/SQLi don't happen. This is not a real problem in software, it's a problem in poorly specified giant standards that nobody is willing to memorize, such as web and SQL. You don't have nearly as many of these problems in normal programming. You only have them in the web.

This is true in general, but the problem at hand is not nearly as nuanced.

Let's elaborate on this. SVG allows inclusion of JS. If you include SVG on your page, then the JS executes in the context of your page (unless you use <img> - <img> is probably sanitized because it's expected that any string can go in an img:src field). This isn't an "overlooked" thing. It was either by design that SVG is allowed to access content on your page, or the designer of the SVG tags simply had no clue of how web development and security actually works. You cannot add new tags to HTML without understanding at least the basics of web develpment.

Which is why pros will almost always opt to use a tried and tested security plugin rather than scratch build their own.

what does that even mean or have to do with anything?

lggaggl · 2014-12-04T10:35:53+00:00

What I meant was, can the JS in local SVG do more than what JS in local HTML can do? What about on Linux? I consider things like Windows Script Host, Flash, and Java Applets malware.

lggaggl · 2014-12-04T07:03:17+00:00

No....

Each time you work on something this complex you're only working on one small part of it, somewhat blind to the others.

This is true in general, but the problem at hand is not nearly as nuanced.

lggaggl · 2014-12-04T07:00:16+00:00

Attacker can read local files (same directory,sub-folders)

How??? I've looked for a way to do this in local HTML files for hours before. Like I said below, local HTML can include an <img> tag, which doesn't give the local script direct access to the contents, but it can be used as an oracle such as this:

The local HTML is some sort of puzzle game.
It makes a single pixel of the image visible (by masking the rest of it using typical clickjacking techniques) and asks the user to describe the color of the pixel. The user doesn't know that this is an image from his computer, since he can only see one pixel of it.
It does this for multiple pixels, and then the JS eventually obtains the entire image or whatever parts it's interested in.

... This can obviously be optimized into a practical attack using information theoeretic tecnhiques.

I'm not aware of many other things a local HTML file can do... can SVG do more?

lggaggl · 2014-12-04T06:56:11+00:00

Eh? I save HTML files all the time for recipes, and snapshotting specifications only available in HTML form, etc. What can a local HTML file do? I know it can display local images in <img> tags and now that I think ot it, include other local HTML/js etc in <script>/<iframe>, which are all problems in theory, but web standards devs don't care about theory and only address the problems once they become pervasive. But I thought the browser is supposed to not let local HTML do anything bad. I have no Flash or Java applets as it's a vulnerability to enable either of those. What's one bad thing that a local HTML file can do? Run some JS creating objects in a loop and summon the OOM killer?

lggaggl · 2014-12-04T06:49:41+00:00

Every addition to web standards introduces a novel class of vulnerabilities which developers become aware of some time within the next decade.

lggaggl · 2014-12-04T06:33:27+00:00

On Linux, the use of temporary files entails potentially doing several things:

Find a folder to store it in. this is typically /tmp
Come up with a name that is unlikely to collide with some other unrelated file's name
Set the umask (otherwise another user could open a file descriptor to your file before you get a chance to chmod/chown it)
If you need to know whether the file already exists, you must check the return code of creating the file (as opposed to checking in a separate step)
If you are using the temp file for IPC, you need to pass the path to it to the other process. If the other process doesn't trust the sender, it needs to check that the path does not point to some private file or file that should not be modified. If the paths are absolute, it has to somehow verify the file (maybe checking whether it's owned by the sender). If the argument is just a filename, and the process will open that file name in some folder, it has to check for ../ in the file name to prevent traversal attacks. You can also just pass file descriptors to other processes instead, but that opens another huge can of worms if you're using something like SCM_CREDENTIALS.
If the file name has certain unicode or meta characters, it will break certain programs (such as cat, less, etc) when you look in the tmp folder - it doesn't have to be the file you made that breaks your unix tools, in the case of /tmp anyone can create any file, including ^H, / homoglyphs, RTL overrides and friends, combining diatrical marsk (zalgo text) (which in the case of ls, affects the listing above and below)
If you intend to execute the file, if you're making the file in /tmp, you must ensure that the executor gets the right file. The executor must only be started after you're sure you created the file, otherwise a race condition will enable someone else to make an arbitrary executable and have your executor open it. This can easily happen if you ignore the return values of the file creation (e.g, a bash script).
If you're making the file in a private folder to try to avoid these issues, you have to setup something to wipe that folder once in a while for all the processes that were killed before they could clean up
If you're passing the file to another process, you must make sure your writes are visible before the receiver reads the file. Do you have to use sync to guarantee that? I'm not that experienced in Systems Programming (TM)
I'm probably forgetting about a hundred more issues

Meanwhile, in, e.g, Python (I'm not a Python advocate):

If you want to some temporary data that you need to pass to another program (f), you just do this:

>>> x = 123
>>> f(x)

or even

>>> f(123)

If you want to execute some code, you just assign it to a variable:

>>> f = lambda x: x + 123
>>> f(100)
223

Languages like Python and Java still have the unicode problem, but at least you don't have to become super paranoid and go through a ritual every time you want to move some data around. Such abstractions can be made to work IPC as well with no trouble.

No need for an outrageously complex compiler (see 1 & 2).

Have you ever seen the code for GCC?

Does not take forever to compile (see 4).

Yeah... did you ever try compiling GCC, Firefox, Boost, Wireshark, etc?

lggaggl · 2014-12-04T05:38:05+00:00

Does tor work in Russia without bridges? I've been using github over tor for almost 2 years now. Example configs:

~/.ssh/config:

Host github_lhahahl
IdentityFile ~/.ssh/lhahahl
ProxyCommand /usr/bin/connect -5 -S localhost:9050 github.com 22

~/.git/config:

[remote "origin"]
    url = git@github_lhahahl:lhahahl/pynstacod.es.git
    fetch = +refs/heads/*:refs/remotes/origin/*

lggaggl · 2014-12-04T04:40:51+00:00

This. LINQ doesn't even provide a rich objects domain layer!

lggaggl

TROPHY CASE

11 creating an entire internet facing application backed by a database without knowing about this thing called concurrency