log☇︎
1023000+ entries in 0.775s
copumpkin: but the vast majority of your users aren't going to know that
copumpkin: sure, you'd attach it to some other notion of identity
copumpkin: or just not even bother doing that
copumpkin: they can act as a middleman and forward requests to your real site
copumpkin: once they pose as your site
copumpkin: usagi: the point is, if you use a self-signed cert, someone else can pose as your site, and nobody will know
copumpkin: is that to me?
mircea_popescu: the point here is : either give the link as https://199.48.69.241/xc/orderbook.php or else change the cert to use the domain not the ip.
smickles: copumpkin: i plan to self sign my cert, and publish clearsigned info so that users can verify my sig and import the cert
copumpkin: TLS provides two features: authenticating your peer, and encryption
copumpkin: you can do that without a certificate
usagi: The point is that the communication is encrypted
mircea_popescu: so then why not jsut quote as ip ?
usagi: Yupyup they sell mitm boxes to the feds
copumpkin: usagi: self-signed certs defeat the purpose of the system
usagi: Self-signed and self-published certs are more secure than ones you buy online
usagi: buying certs opens you up to MITM attacks.
usagi: Beyond that
copumpkin: but during development, it's fairly common to not pay for a real one :)
mircea_popescu: Connecting to hotwallet.ca|199.48.69.241|:443... connected.
copumpkin: it's a self-signed root that doesn't match the domain
usagi: What does the cert say
mircea_popescu: it just doesn't pay enough for my time.
mircea_popescu: yeah, your cert doesn't exactly match the domain
nefario: distracting me like that
mircea_popescu: usagi your security scheme is wrong on that site.
copumpkin: because it comes from a feature in format strings that nobody ever even uses, except for exploits
copumpkin: most security bugs in the wild arise from buffer overflows or format string vulns
nefario: then you can ensure there are no holes in your code
nefario: is to write it in CPP
nefario: only way to be secure
usagi: so that if a service gets compromised they can't get out of the vm
copumpkin: I know what I'm talking about, too :)
usagi: rg knows what he is talking about -- he said, he runs everything in VMs
copumpkin: the vast majority of security holes arise from a couple of features that many language simply omit
copumpkin: the idea is to minimize the opportunities for them
usagi: There's nothing in any language that will prevent security holes
smickles: usagi: yes, but java is a pretty big target
smickles: usagi: you arn't afraid of how often java exploits seem to happen?
nefario: ok it doesn't do threading
usagi: I'm a Java programmer. I am writing the backend for my exchange in java.
nefario: the best implementation of lisp that I've found
mircea_popescu: now those, those i trust.
mircea_popescu: if i were to run an exchange on it, yes, i would.
nefario: write your own libc if you don't trust libraries
nefario: well mircea_popescu, better throw out the GPG lib you're using and write your own
mircea_popescu: i don't trust any libraries.
nefario: when there were no libraries
nefario: list was fantastic at the start of the web
nefario: when you start heading towards production
nefario: but I leave it at that
copumpkin: I like challenges too
mircea_popescu: Diablo-D3 just did it cause he's a programmer at heart, wants the challenge.
copumpkin: and I don't even have to write my own STM impl
nefario: but they had to move to python because of threading issues
usagi: Spoken like a true ruby evangelist nef :)
nefario: it's just the implenetations of it are no fun to use in production environments
mircea_popescu: and admittedly, learn a few things from.
mircea_popescu: that'd be something to respect.
copumpkin: lol @ this discussion
usagi: You have to think like you're coding for 50 year old hardware
mircea_popescu: and i took it from you in a few months.
mircea_popescu: that's possibly the worst criteria to decide who to respect.
usagi: If I had 3 bids and one of them was lisp I could tell you what the most expensive bid was without even looking
mircea_popescu: get some uysers, then we can talk nefario
mircea_popescu: gah, again with the shit.
nefario: mircea_popescu: you need people to use the site to notice its down
usagi: No it's that no one knows it
mircea_popescu: there's not so many of them,.
nefario: I know people too, and none of them use lisp professionally
mircea_popescu: nefario i haven't released that sort of details.
copumpkin: my colleague saw him on the subway home this evening
nefario: last time I tried talking to him
copumpkin: tell RMS to eat more toe junk
usagi: There were still holes in malloc and free being used until early this year IIRC
copumpkin: nope, I knew that mpoe did
mircea_popescu: you knew this
mircea_popescu: lol. the public face is php. mpex actually runs on lisp.
nefario: Diablo-D3: all those languages have their own issues
usagi: I was just trolling diablo
Diablo-D3: does perl have the same problem? no. does ruby? no. does java? no.
copumpkin: usagi: admittedly, asking for idiosyncrasies of particular versions of a specific language isn't exactly testing our security knowledge :)
usagi: Yeah and thats another thing, mpex is php
Diablo-D3: that solves 100% of the issue.
usagi: I'm not the one that needs ot learn to code bro
usagi: I just showed you a) you don't know what the insecurities are b) you don't know how to fix them
mircea_popescu: i doubt it very much it's still there.
Diablo-D3: usagi: fuck you dude, learn to code
mircea_popescu: for the record :
Diablo-D3: learn to code
mircea_popescu: he wants to know why php is insecure
Diablo-D3: if there is a buffer overflow in preg_replace
usagi: it will crash the system and maybe worse
usagi: lol theres a buffer overflow in preg_replace
Diablo-D3: I can very easily produce a string that will produce an empty string with that regex
usagi: Well I will show you the solution
Diablo-D3: yes, ^ in the set negates the set
usagi: in this case
Diablo-D3: copumpkin: thats not what ^ means.
usagi: I've been meaning to learn Python actually, because of armory