Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
So a car hit me while I was riding the bike back from work and I fractured my collarbone. And I have to wear a sling on my left arm 24/7 for 4 weeks now.
But that's not the worst part.
Coding with one hand is.18 -
When you see "Database must be encrypted with SHA1 or SHA2" in software requirements specification....
10 -
Apt is savage: "Signature by key 33BDD78F1D3956B52D014458F603F0D99C2EC4C39D uses weak digest algorithm (SHA1), SHA1 is weak, it's bloodline is weak, and it will not survive the winter."5
-
Guy I just met: so what do you do?
Me: I'm a developer
Guy: no way! I work for a software company so... (goes on to talk for 10 minutes trying to show off his knowledge of software)
Me: so what do you do there?
Guy: sales
Me: oh...
Just because you work for a software company does not mean you know shit about software. Don't try to build some erroneous common ground with me because you walked by a developer's desk one time, looked at his or her screen, and magically thought you could understand code.9 -
Supervisor: so you're going to write a perl script that will compile a jar that will be used to invoke a web service
Me: okay. What does the web service do?...
Supervisor: I'm not sure how it works. It'll just return a success or error code
Me: so I'm just going to invoke a black box?
Supervisor: that's a good way to think of it
Me: so how does the qa process work with this black box/how can we debug?
Supervisor: we don't have qa for it and we can't debug
What the fuck?!?!? You expect me to call a literal fucking black fucking box?!?! This isn't lambda calc you jabroni.2 -
Supervisor has me making a web app in this badass new stack called the LAP (linux, apache, php) stack because he would he would like the app to be "simple". He's spot on though.. having a three letter acronym saves so much time.... and then we don't need to worry about a database... or querying.... or efficiency.... or even the web app itself because clearly he expects the fucking code gods to come down and turn this piece of shit web app into a fucking masterpiece if he thinks this shit can be done based on a hacked together file management system. Please save me code gods4
-
When I just started making things in PHP, I always taught that md5 encryption was the best thing out there.. Once I learned that it was the most easy way to break I changed to SHA1. What were I thinking? I now use a custom generated SALT for each user and encrypt with SHA512, should be safe for a while, right?
7 -
Follow-up to my previous story: https://devrant.com/rants/1969484/...
If this seems to long to read, skip to the parts that interest you.
~ Background ~
Maybe you know TeamSpeak, it's basically a program to talk with other people on servers. In TeamSpeak you can generate identities, every identity has a security level. On your server you can set a minimum security level you need to connect. Upgrading the security level takes longer as the level goes up.
~ Technical background ~
The security level is computed by doing this:
SHA1(public_key + offset)
Where public_key is your public key in Base64 and offset is an 8 Byte unsigned long. Offset is incremented and the whole thing is hashed again. The security level comes from the amount of Zero-Bits at the beginning of the resulting hash.
My plan was to use my GPU to do this, because I heared GPUs are good at hashing. And now, I got it to work.
~ How I did it ~
I am using a start offset of 0, create 255 Threads on my GPU (apparently more are not possible) and let them compute those hashes. Then I increment the offset in every thread by 255. The GPU also does the job of counting the Zero-Bits, when there are more than 30 Zero-Bits I print the amount plus the offset to the console.
~ The speed ~
Well, speed was the reason I started this. It's faster than my CPU for sure. It takes about 2 minutes and 40 seconds to compute 2.55 Billion hashes which comes down to ~16 Million hashes per second.
Is this speed an expected result, is it slow or fast? I don't know, but for my needs, it is fucking fast!
~ What I learned from this ~
I come from a Java background and just recently started C/C++/C#. Which means this was a pretty hard challenge, since OpenCL uses C99 (I think?). CUDA sadly didn't work on my machine because I have an unsupported GPU (NVIDIA GeForce GTX 1050 Ti). I learned not to execute an endless loop on my GPU, and so much more about C in general. Though it was small, it was an amazing project.1 -
It's 1:00( 1 am) here now...I wanted to get some coding done since 20:00(8 pm for the weird people ;P)
Got distracted by Dev rant all the time -.- and didn't write a single line of code...fml5 -
Whiteboard interviews. Would say "my first whiteboard interviews", but I think they will always have the magic to make developers feel stupid.1
-
!rant
The AH-MAZ-ING feeling you get when you write 200 lines of code without compiling and everything just works as planned!!!
YAY! -
Legacy tech be like:
"The connection to this site uses TLS 1.0 (an obsolete protocol), RSA (an obsolete key exchange), and AES_128_CBC with HMAC-SHA1 (an obsolete cipher)."2 -
Spent hours troubleshooting an internal app that had zero logging today. It would just terminate, no exceptions, no feedback to the debugger, NOTHING.
Turned out to be the damn corporate virus scanner blocking "malicious" behaviour. Good thing my desk is so heavy or I woulda flipped it... -
OpenCL...
Okay so I'm completely new to OpenCL and I just put some stuff together to get a simple GPU Kernel running. Well that worked pretty good.
The reason I got into OpenCL was because I wanted to do some simple SHA1 cracking on my GPU. What I did was, I got a fast implementation of SHA1 from the internet, which works perfect in normal C++, but for OpenCL I have to rewrite some things. So I replaced all the memset and memcpy and so on with simple for loops and it still worked. Now, this should work on OpenCL, too, I thaught. God I was wrong!
Somehow the clBuildKernel got executed normally, but when I try to access the returned value (the error code) I get an Access Violation? It just doesn't make any sense to me?
Well I will try some stuff tomorrow again and I will find a solution for sure, but still, until now I just don't understand it. -
Started a new job on Monday. STILL DON'T HAVE ACCESS TO THE FUCKING SERVERS I NEED TO ANYTHING. Holy fucking shit I'm annoyed. Fuck you corporate bullshit. I already feel like quitting.3
-
When systems throttles your bandwidth during load tests and doesn't tell you, and you waste an afternoon investigating1
-
It's done. Agile has taken over my life. The other day I looked outside and thought, "As a user, I can stand on my lawn without my feet disappearing." And that's how I decided to mow my lawn.
-
OK, I'm spoiled Linux bra^H^H^Huser, so MD5, SHA1,... checksums for distributions' ISO files are something I take for granted but is really that hard for Microsoft to provide same for Windows 10 ISOs (plain and simple info, not something that require equilibristics and deep diving into MSDN site) ?!2
-
Some interesting reads I came across yesterday:
- Github got DDOSd with 1.35Tbps via memcached
-- https://githubengineering.com/ddos-...
- Troy Hunt, the creator of https://haveibeenpwned.com/ released "Pwned Passwords" V2 and talks about his partnership with cloudflare, how he handles traffic, why he chose SHA1 for the passwords, how he together with a cloudflare engineer thought of a solution to anonymize password checks and more
-- https://troyhunt.com/ive-just-launc...
1 -
Had my dev job described as a "computer, desk job" in a condescending tone yesterday by a guy trying to convince me to join his pyramid scheme....
// TODO: come up with awesome rant about this so I can look badass2 -
3ds Max Python API Documentation.
No function has a single word explaining what it does.
The Documentation seems like it is completely auto generated and while writing the API they forgot to add Docstrings....2 -
Right after https://shattered.it/ ...
Now BitTorrent: https://biterrant.io
That escalated quickly... -
Token for App -> backend authentication is generated one time when the user signs up. Sniff it once and you've got access to the user account forever.
Passwords are hashed with one round of SHA1, no salt.
Everything including login data is sent over plain HTTP.
Luckily I got permission to fix that mess1 -
Have you ever hit Ballmers Peak, only to fly past it but still keep coding? Sometimes it's an adventure looking at the code the next day. Three steps forward, one step back I say!2
-
Starting my first dev job next week (except for freelance work) and I'm crazy nervous that I'm going to make some huge mistake and look really stupid. Did anyone else have these fears before their first dev job and, if so, how'd you stay at least a little confident?4
-
For those of you who DO use PHP, regardless of whether you like it or not, have you ever used something like PEAR? And what are your thoughts?
I'm writing a fairly basic internal web app for our PMs and I'm looking for something similar to npm to save me some time/effort. I should also mention that my supervisor insists it be in PHP...6 -
Ugh, fuck the SSRS web service. Spent all week trying to consume the service with PowerShell, doesn't make it any easier when there are undocumented behaviours. TypeName property has to be Type, for instance, when creating a search condition, TOTALLY contrary to the documentation.
Want to change the data source for a report you uploaded? Gl;hf! Back to it next week, think I'm close to having a working deployment script...so close. -
So I have spent the entire morning trying to fix null values in the database, because they keep fucking up my code.
I hate the fucking person who made the database at the place I work, dude has not heard of a thing called NOT NULL!!! -
I have the following scenario with a proposed solution, can anyone please confirm it is a secure choice:
- We have critical API keys that we do not want to ship with the app because de-compiling will give access to those keys, and the request is done before the user logs in, we are dealing with guests
Solution:
- Add a Lambda function which accepts requests from the app and returns the API keys
- Lambda will accept the following:
1. Android app signing key sha1
2. iOS signing certificate sha1
- If lambda was able to validate them API keys are sent back.
My concerns:
- Can an attacker read the request from the original (non-tampered) apk and see what the actual sha1 value is on his local network?
- If the answer to the question above is yes, what is the recommended way to validate that the request received is actually from the app that we shipped and not from curl/postman/script/modified version of the app11 -
!rant
How do you find a list of your favourited rants on the Android app? I can't for the life of me find it.1 -
Anyone knows how to hash the OAuth 1.0 signature with RSA-SHA1 using PHP? Using only the value to be hashed and a key?1
Top Tags
Weekly Rant
View