log☇︎
1023100+ entries in 0.776s
usagi: I am intrigued by their programming specificatoins
Diablo-D3: usagi: so explain to me, again, why you're not using strtoupper with your locale force set to a unicode one?
usagi: But you were wrong there.
Diablo-D3: no, this is what I said near the top.
Diablo-D3: usagi: the flaw is you're using that regex on user input in a function named "makealpha"
usagi: I guess that means we can't use unix
usagi: As proof you bring up the fact that they fix security holes as they are found
usagi: I say, find the flaw, and you can't.. but instead of just asking, you bullshit about how the entire language is insecure
usagi: See this is so endemic
usagi: So in othr words, it does not apply to modern PHP installations
smickles: usagi: just a wild guess, would that function fubar when regex special characterw were used?
usagi: Do you know what the security problem is?
mircea_popescu: "On Tuesday, the PHP Group plans to release new versions of PHP in order to address the problems with a previous patch, which was intended to close a security problem." and on it goes.
Diablo-D3: and also, where is php actually popular? its not in the enterprise.
Diablo-D3: usagi: read the php release changelogs for the past 5 years.
usagi: whats the flaw?
usagi: The planet where people have reasons for what they believe in?
usagi: PHP is more popular than perl, ruby, lisp, erlang and haskell all rolled into one
Diablo-D3: its the only language I can truly express myself in
Diablo-D3: back to C I went,
Diablo-D3: if I ran an insurance company and I had to audit code, anything written in php automatically fails.
Diablo-D3: usagi: that is 100% the flaw
usagi: Diablo thats nice but that's not the flaw
Diablo-D3: by default thats the one and only security flaw I need to know.
mircea_popescu: listen, this is the reason there's not many decent exchanges. 2k a month ? srsly ?
Diablo-D3: usagi: I just did. thats php.
BTC-Mining: Weird how I can't just stay 24/7 watching the bitcoin markets.
usagi: If you can point out the security flaw I will hire you as my pen tester :p
Diablo-D3: Obsi: that only partially describes how ugly that regex is
Diablo-D3: usagi: then dont use it.
usagi: There's a very real problem with the makealpha function
usagi: No, that's not it Diablo.
Diablo-D3: its an even worse idea to use php. for anything. at all.
Diablo-D3: its bad enough I can do that kind of shit in perl
Diablo-D3: there is a security hole BECAUSE SOMEONE THOUGHT REGEX WAS A GOOD IDEA
usagi: But there's a security hole.
copumpkin: usagi: so you have a function makealpha that removes all alpha?
Diablo-D3: doesnt php even have a fucking function for that
usagi: Ok that was level 1
Diablo-D3: complex hardware sychronization that fixes most of the ....
usagi: Fix the security hole:
copumpkin: so you need to build most things from scratch
copumpkin: because these languages give you very few primitives
copumpkin: I'd need to build concurrency models first
copumpkin: and I'm not going to try
Diablo-D3: its ugly bastard code that I am not entirely pleased with
copumpkin: I was tempted to, and started working on it :)
mircea_popescu: Diablo-D3 i was referencing a speciffic discussion, i think you weren't here.
Diablo-D3: mircea_popescu: ooh! ooh! I know what intergrals are! THEY ARE NIGHTMARE CONSTRUCTS SPAWNED BY EVIL MATH TEACHERS
copumpkin: I have thousands of lines of code of agda
copumpkin: Diablo-D3: I do this shit in my free time
mircea_popescu: lettuce see this.
Diablo-D3: theres only like three languages for that
Diablo-D3: copumpkin: bullshit, you'd have to use a language specifically for that
copumpkin: granted, much simpler code than an STM impl :)
mircea_popescu: we're too new and for the largest majority, too stupid.
mircea_popescu: is the fair answer. maybe there is.
copumpkin: I prove code all the time
Diablo-D3: I just know that every attempt Ive made to smash it has failed or lead to bugs that were fixed
smickles: so there is no code good enough to even build an actuarial model around?
Diablo-D3: it took me about 4 months to write an STM impl that wasnt shit
mircea_popescu: smickles you can say you're insuring ppl atm then lol
smickles: is that so hard?
smickles: if the code sucks, it doesn't qualify for insurance
mircea_popescu: Diablo-D3 well... yeah. that too.
mircea_popescu: both in terms of fuck you power and in terms of btc
mircea_popescu: so yes, this would be a solution, but you would need something bigger than currently available
mircea_popescu: Diablo-D3 you don't let them run it. you run it/ they just give you the code.
smickles: Diablo-D3: suppose the code has to be audited too
Diablo-D3: the platform doesnt fix this
mircea_popescu: you'd need some muscle to force people into obedience, as in, the special cornflakes that they are don't want to give you their code.
Diablo-D3: but the problem is
mircea_popescu: Obsi this is a good point.
Obsi: insurance company should provide the hosting & app platform, then they can be sure if actual hacking is taking place.
mircea_popescu: except im not an exchange. are you going to only insure exchanges that don't have hot wallets ?
smickles: so then a theft would have to come from physical theft
mircea_popescu: and actually, to this day us insurers won't do floods.
mircea_popescu: even irl, w/o anonimity insurance fraud is like the #1 fraud by volume tried in courts.
smickles: well, if i insured an exchange, i wouldn't allow it to be on a managed vps
mircea_popescu: but seriously smickles, it's very VERY hard to insure anon.
Obsi: You sue the weather
mircea_popescu: yes, there is. you change the actuarial model.
smickles: no one to pursue there
mircea_popescu: so i want an answer to this q : do i need to pursue anyone or is it bona fide loss ?
mircea_popescu: or w/e, [pur]sues them.
mircea_popescu: insurance finds the culprit and sues.
mircea_popescu: right. this is not how insurance works.
smickles: well, you take a loss. presumeably, you business can handle an amount of losses
mircea_popescu: if you were in my shoes. you insured the btc/usd rate and took a loss. what now ?
mircea_popescu: leaving aside the fact that no actor in the "insurance" play=pretend space could eat that and survive,
mircea_popescu: smickles option contracts are insurance, in a way. i don't even know currently if i got taken for 4.5k or not.
smickles: and i bet the insurance would cost a pretty penny
smickles: i would imagine it to work out something like: in order to qualify for insurance, the agent would require you system to meet with some sort of inspection
mircea_popescu: Obsi someone was linking something on the forum. the problem is everyone has faith in themselves
mircea_popescu: bunch of people have been throwing concepts around, just, insurance ain't so simple in btc.
Obsi: Someone should write a how-to security guide for all these exchanges to get up to speed.
mircea_popescu: well... yeah, but it'll take time.
smickles: mircea_popescu: it's a sector of the bitcoin economy that needs to be fleshed out, it seems
mircea_popescu: cpa is the pet project of usagi, who is a well meaning and far overreaching anonymous english teacher.
smickles: and if cpa is currently the only option for insureance, something may be able to be worked out