63300+ entries in 0.501s
mircea_popescu:
http://btcbase.org/log/2017-05-31#1663768 << let me tell you what it does, because i recently ran
a browser games check.
a) won't allow email from domains with >3 char tlds. because VALIDATING INPUT, yes. b) won't allow your password. it's too long (yes), it has special characters (o ya), it whatever on
a stick.
☝︎ mircea_popescu: this i suspect is generally the case, if an item doesn't contain deadly possible states it is more properly
a toy than
a tool.
☟︎ a111: Logged on 2017-05-31 14:39 asciilifeform: erlehmann: 'validating input' is idiotic -
a sanely designed system simply contains no physically possible perdition state to be led into.
erlehmann: mircea_popescu certainly, i was referring to
a different person that claimed
a computer can not work with “
a → b … and also,
a is false” or something like that
erlehmann: i once had
a case of
a philosophy lecturer claiming computers cannot work on meaning, only syntax. i answered with an explanation of undefined behaviour in C compilers.
phf: i wonder if this creates significant cognitive dissonance in these people. it took me
a while to learn how to scale elegance (and how incredibly costly it is, hence gems like tex.web ARE gems), but here you have
a prof, drinking own koolaid of whatever best practices, attempts to write
a non-trivial project and ends up with unmanageable complexity
Framedragger: thanks for the pointer, will actually check. i know
a bit of german but too little. may make it even more fun, tho
phf: Framedragger: it's probably shit code that professor was planning on fixing "eventually". i've managed to acquire
a number of these "secret" sources while at umd and most of them were horrendous.
erlehmann: turns out i am
a far better programmer than philosopher btw
Framedragger: source code.. wonder if there's
a good reason possible if intention was to give source eventually. prolly not...
erlehmann: the only person who would not give complete corresponding source and supplementary materials for stuff was
a neuroscientist i think. something about having done lots of work to collect the data and analyze it.
Framedragger long ago got
a "you're not yet ready to read kant, read this about kant", which in retrospect may have been
a misjudgement (you can kinda sorta just read Kant, esp. if you're read hume), but i just went along with it. worked in the end. maybe not comparable situation, but anyway
erlehmann: Framedragger 1. prof demoed some program he wrote (?) in linear algebra course 2. i asked about source code. 3. answer was like “you do not get source code, you would not understand anyway” 4. no other student thought it ridiculous for
a teacher to not give source. 5. i found out implementation was really simple.
phf: chumpatron is from "lohotron" where loh is
a chump, it's
a word play on "lototron" which is
a lottery machine
erlehmann: in german the calque word for
a german calque is “zangendeutsch”
phf: it's
a calque from russian
phf: erlehmann: well, i said "parsing" i didn't say grammar. there are different ways to write
a parser. btcbase uses
a readtable dispatch based parser to construct an in memory vpatch structure, i just checked, in about 90 lines of lisp. presumably if somebody wanted to write
a parser using yacc, they'd have to write
a lalr grammar for
a vpatch
erlehmann: of course infix allows you to have an incomplete expression – like “(
a + b” without
a closing paren
phf: erlehmann: i think what we're saying is that validation for the sake of validation is an incomplete solution for various reasons. you come from
a position where you need to convince people that parsing is important, we're saying that ~we know~ and ~we do it~, but we also think that it's not the whole solution.
erlehmann: i chose postfix notation and
a wraparound ringbuffer as
a “stack” because postfix can always be evaluated
a111: Logged on 2016-12-11 23:00 asciilifeform: i was not going to expand on the 'p' thread until the proggy is done, but this is probably
a good time to say 1 more
erlehmann: ad-hoc validation creates
a lot of exit conditions that interact with each other
Framedragger: mircea_popescu: yeah, after writing that i recalled gossipd design and intentions (need to generate
a lot of keys, and if it takes
a month - so fucking be it)...
erlehmann: anti-pattern “shotgun parser”. draw the processing diagram on to the wall. shoot at it with
a shotgun. everywhere the bullets hit, validate stuff.
mircea_popescu: Framedragger the whole notion of "rsa keygen efficiency" is
a little bit in the vein of "cheapest wedding dress".
erlehmann: asciilifeform
a spy opens an envelope and finds
a patchset. what next?
phf: well, that's why i referred to that djb paper about qmail. he stated both the problem and the solution, and his solution was essentially "compartmentalize", but when it comes to parsers specifically it's something very aggressive. like
a fixed length line reader that dispatches on
a single prefix character. not even
a "grammar"
Framedragger: i don't believe they are actually suggesting that doing key gen on third party is
a good idea for user. discussion was about performance, no? (granted, did not read whole paper)
Framedragger:
http://btcbase.org/log/2017-05-31#1663689 << i believe you misquoted out of context. the purpose of that was to (as you can see if you read till end of para), "The challenge here is to show that secure multi-user RSA key generation can becarried out more efficiently than one-user-at-
a-time RSA key generation"
☝︎ mircea_popescu: there's also the suspicion that the only reason this "appears to work" as
a securitizing approach has to do strictyly with it not being in general use.
phf: erlehmann: that is true, but doesn't take into account complete attack surface. i agree that "write
a proper parser" should be the first step, but that's also
a baseline. problem is that most of these protocols are either non-regular, have types that depend on state (e.g.
a fixnum whose range changes based on
a flag), or are outright turing complete
erlehmann: and has
a functioning bullshit detector. evidence: someone proposed
a docker container to run the game “more easily”. linley politely declined.
mircea_popescu: erlehmann i own
a publisher ; not particularly looking for
a game, but vaguely interested in competent/efficient dev people for eulora client improvment.
erlehmann: it is written by
a single self-taught game programmer who apparently uses indentation randomly
erlehmann: phf someone gives you
a “mp3” file with ogg page structure? abort immediately.
erlehmann: phf i have worked on existing protocol. the grammar codifies the assumptions that you as
a programmer make. take an ENUM in the input, for example. grammar should only contain values you know you can process right.
erlehmann: mircea_popescu only by mail. apparently he writes games on windows with code::blocks. i wrote
a dofile and contributed some features.
mircea_popescu: phf i suspect he's young ; in any case excitable. give the man
a moment.
phf: diots" position. what you going to audit ffmpeg? i'm saying that the correct solution is not to run media decoder on
a mission critical machine
erlehmann: which makes it playable. previous attempt “invincible countermeasure” did not have
a graphical designer.
erlehmann: there is
a graphical unit designer that sets up the structs right
erlehmann: mircea_popescu
a real time strategy game by linley henzell (who created overgod and garden of colored lights) where every unit is programmed in
a language not entirely unlike C.
erlehmann: mircea_popescu maggot.
a maggot is what makes
a fly.
erlehmann: experimenting with
a medium-size C++ project (liberation circuit) i found that there can be as much non-existence dependencies as “normal” dependencies
erlehmann: i am of the opinion that all build systems except my own redo implementation are shit. reason: non-existence dependencies. if you search for header files at locations
A, B, C, find it at C, then C is
a dependency. but if non-existing
A or B start to exist, the target must rebuilt.
mircea_popescu: actually in my youth i deemed as the highest achievement in literature
a situation where multiple parties participated in
a conversation that admits an interpretation for each.
erlehmann: at one langsec and tea gathering i suspected that every joke contains
a misunderstanding on some level
erlehmann: i think it is
a good rule to talk to autists
erlehmann: i have
a talent to find errors by not comprehending stuff. talk context-free or regular to me!
erlehmann: the universe provides
a halting guarantee: proton decay
erlehmann: maybe. ethereum has
a gas price, yet it is still turing complete, still reentrant, still vulnerable.
erlehmann: so it is like testing
a lot with malicious compliant testers
erlehmann: asciilifeform the problem is the different assumption people have about components. the programmer feeding input to ffmpeg expects audio files to be input.
a recognizer would solve that.
erlehmann: no one expects 999gigabytes.mp3 to be
a text file instructing ffmpeg to generate silence with
a really high sample rate (around 1GB per second)
erlehmann: every idiot who just takes an uploaded file and converts it using ffmpeg is just
a 4 line text file away from me filling whatever storage the idiot has on the converter system
erlehmann: mircea_popescu i think i do understand the many implementations thing. data that flowing over abstraction boundaries has the potential to trigger
a holographic fracture (i believe that is how it is called). to prevent this, you need
a parser and an unparser and both need to have the same grammar (max deterministic context-free) and check it.
erlehmann: mircea_popescu i was not aware
a) registering is possible b) registering is desirable for me. so what do i get out of it and if i want to do it, how?
a111: Logged on 2017-01-05 00:24 asciilifeform: ben_vulpes: i'll suggest
a 'p-tronic' format for diffs. N\........ specifies N retained-of-
a octets (e.g., 5\abcde )
erlehmann: but it works. turns out that if you tell people in code reviews for 3 months straight that they should define
a grammar and check their inputs, they start to do that.
mircea_popescu: erlehmann you seem like
a nice enough fellow, why not register your pgp key with deedbot ?
erlehmann: the seven turrets of babel is
a TL;DR for langsec. it collects antipatterns (in section III) and remedies (in section IV)
erlehmann: > The Seven Turrets of Babel:
A Taxonomy of LangSec Errors and How to Expunge Them, Falcon Darkstar Momot, Sergey Bratus, Sven M. Hallberg, Meredith L. Patterson
erlehmann: well, i get that GNU diff does not actually verify that there is
a timestamp
mircea_popescu: pretty fucking epic, if you ask me, take
a fat old nag to COURT, where she fucking loves to go, and dreams every day of her life, and then say THE BAD!!!1 about HER!!!!!! omfg. and she can't give all teh replies!
mircea_popescu: he's funny though, he won
a her-fault divorce with some obnoxious cork of
a woman through saying she sucks and she couldn't say anything because lese-majeste.
mircea_popescu: those 30 bn do include, of course, the blue diamond stolen back in 1989 from saud faisal's palace by
a thai janitor, who was then caught by
a lt-general of the thay royal police, except when the thais flew back to ryadh to return the loot the saudis discovered the parts not missing were fake.
mircea_popescu: and in today's lulz : bavaria, which apparently still imagines itself
a state for some reason, has decided Mahawachiralongkon Bodinthrathepphayawarangkun (that's, incredibly enough, not
a german national's name) spends most of his time there, and therefore they get to tax his inheritance.
gabriel_laddel_p: I don't have it in front of me either so idk. Have not touched this project in
a ~month or more. That /etc/init.d/devfs exists is news to me, and will try messing with it next
gabriel_laddel_p: why would I have to load
a driver for
a block device? and sdb1 and so on and so forth are NOT created, no seen anywhere
trinque: pasting an error would be
a start; missing libs would be
a pretty recognizable barf.
gabriel_laddel_p: Is anyone aware of "magic" shared libraries that must be included with
a linux distro to work? When I build
a MasamuneRescueCD fdisk -l does not see any disks, nor does lsblk, in spite of my including all shared libraries required by lddtree --list
mircea_popescu: but the supposed "fear" merely translates
a desire, which is the desire to be not-different from the rest. which... hey, everyone's entitled to be plain, boring, lame an' as ordinary as their wife can stand.
mircea_popescu: there's no fucking reprisals. so some stuck up brits asked some german physicist living with two women to kindly go away. ok, so ? some other people gave him
a different-same job.
mircea_popescu: Framedragger asciilifeform you will notice that the perceived problem is very unlikely to be
a genuine problem. to use the familiar field of sexuality -- people also don't hit up on girls, and in direct proportion to how hot they are, because they perceive possible harm may come!!1
mircea_popescu: one day around noon i bought
a girl in the street in nantucket ; by nightfall the respectable housewives all the way down to whitechapel and all the way up past maine had re-evaluated their priceless litter accordingly.