Recent Posts

151

Developer's Corner / Re: jQuery plaintext to hyperlink issue

« Last post by f0dder on June 11, 2016, 12:14 PM »

Super amazing find! Thank you so much! And yes, now the trick is the escape handling as the messages are in
Quote

    [timestamp]<username> message

format and the angle brackets eat the usernames!

-Asudem (June 11, 2016, 10:55 AM)

That's once concern - the biggest concern is security. You really don't want to execute random <script> blocks sent by malicious users

152

Find And Run Robot / Re: FARR for mac

« Last post by f0dder on June 11, 2016, 06:44 AM »

homebrew *is* easier than hunting down all your tools manually on Windows

-f0dder (June 05, 2016, 05:37 PM)

http://chocolatey.org 

-Tuxman (June 05, 2016, 05:40 PM)

Chocolatey is nice, but it's still a big kludge compared to homebrew or Linux package managers.

Not a fault of the Chocolatey developers, btw, just the sad fact of a zillion different installer types and ways to do stuff on the Windows platform. It's kinda hit & miss whether uninstall or upgrade will work.

153

Developer's Corner / Re: jQuery plaintext to hyperlink issue

« Last post by f0dder on June 11, 2016, 06:08 AM »

You'll probably want to hack in your handling in the cah.log.js - and you really, really, really want to be careful when dealing with user input.

The actual rendering of the text is this snippet:

Code: Javascript [Select]

1. if (opt_allow_html) {
2.     $(node[0]).html(full_msg);
3.   } else {
4.     $(node[0]).text(full_msg);
5.   }

So a quick guess without looking at the rest of the codebase is that the user input isn't escaped, it's simply not rendered as html content. You could add escape-then-linkify to the text codepath and replace .text() with .html(), while hoping that whatever escaping method you use handles all the nasty corner cases :-)

154

General Software Discussion / Re: TeamViewer hacked?

« Last post by f0dder on June 06, 2016, 02:47 PM »

Hm... the SRP protocol ... Isn't that the one that's supposed to be Dictionary Attack resistant, and perfectly secure even when weak passwords are used because the PW is never actually exchanged with the server?

-Stoic Joker (June 06, 2016, 08:20 AM)

Isn't the main point of SRP that you're authenticated through establishing proof of you knowing the password, without actually sending the password? There's nothing about that which prevents dictionary attacks or (other forms of) brute-forcing.

Requring a new session per login attempt isn't a bad idea, but it's more important to pad out the first couple of login attempts to several-hundred milliseconds and then do exponential backoff (with some upper limit to avoid people locking you out of your account by sending bad guesses), and perhaps some temporary IP ban after a number of failed attempts. You need to balance user friendliness (and aforementioned malicious lockout) against mitigating brute-force attacks.

155

Find And Run Robot / Re: FARR for mac

« Last post by f0dder on June 05, 2016, 05:37 PM »

I was wondering the same thing as f0dder. Since moving platforms, I have found spotlight infinitely useful.

-Josh (June 05, 2016, 08:29 AM)

You've totally moved to Mac?  How are you finding it?

-wraith808 (June 05, 2016, 02:38 PM)

The question was for Josh, but let me chime in.

I've been exclusively using OS X (on decent, but overpriced, Apple hardware) for work, since October last year. For the stuff I do, there's some advantages to this - a lot of OpenSource stuff just works better on something semi-unix, since programmers are too lazy to write properly portable code... and homebrew *is* easier than hunting down all your tools manually on Windows (even though the combined OS X ecosystem is worse than package managers on Linux).

A lot of things are a bit too dumbed-down for my taste, and the OS is pretty unstable compared to any Windows release since Vista. I've had a bunch of gray-screen-of-death kernel panics doing such OUTRAGEOUS things as trying to drag a window to another monitor, or fullscreening a youtube video. And while the machine is silent under normal operation, it goes full jet engine (as well as thigh-scorching hot) when the GPU is involved.

Sans the "runs opensource easier", I see no reason whatsoever to run OS X - definitely wouldn't be doing it at home. It really isn't "easier" that Windows these days, it's less stable, and while MS are pulling some nasty stuff with Win10, Apple are even more evil. I'd be closer to moving the home setup to Linux than OS X

156

Living Room / Re: Arduino, Raspberry Pi, Beagle Bone: Choosing between tiny DIY computer kits

« Last post by f0dder on June 05, 2016, 12:16 PM »

Ello is quite a bit more expensive that most of the other options but interesting nonetheless
https://www.crowdsup...ly.com/knivd/ello-2m

-Target (June 05, 2016, 02:17 AM)

Man, I really love the look of that one!

157

Find And Run Robot / Re: FARR for mac

« Last post by f0dder on June 05, 2016, 08:26 AM »

Which needs do you have that Spotlight doesn't cover?

158

General Software Discussion / Re: TeamViewer hacked?

« Last post by f0dder on June 05, 2016, 08:20 AM »

So when I use TeamViewer to connect to one of my family's pcs, I need to either know credentials for the PC, or have to get the user to say OK before I can connect. What am I missing? Is everyone's desktop unlocked, or you have a no password required setting somewhere?

-x16wda (June 04, 2016, 10:22 PM)

There's a couple of possible explanations, but the TeamViewer folks haven't exactly been informative so far.

The two most likely are:
1) a (really!) badly designed protocol or (more likely) programming flaws that can be exploited remotely to circumvent the password checks.
2) that TV doesn't rate-limit connection attempts, letting attackers brute-force weak passwords.

159

General Software Discussion / Re: What website has the fewest files?

« Last post by f0dder on June 03, 2016, 01:33 AM »

I my well go down that path, but as I'm learning, won't I be producing some junky code?

-kunkel321 (June 02, 2016, 01:08 PM)

Not nearly as junky as what Word produces, no

160

Developer's Corner / Re: Hi, first post in the developers section

« Last post by f0dder on June 02, 2016, 10:11 AM »

Yep, the GUI part is what I was trying to learn. I didn't do very good and found that understanding it at all had a steep learning curve.

-jumper (June 02, 2016, 05:12 AM)

Frankly, writing GUIs in Java sucks - it's become a lot better with JavaFX, but all the old toolkits for it are bloody annoying to use, and until Java 8 (released in 2014) with lambda support, it was generally gruesome.

If you want to do desktop windows applications, it doesn't get much easier than .NET - especially with the Visual Studio tooling.

Java isn't a complicated language, though, and it's fine for a lot of stuff

161

General Software Discussion / Re: TeamViewer hacked?

« Last post by f0dder on June 02, 2016, 03:13 AM »

I know a few people who use TeamViewer that have, by chance, seen people taking control of their machines.

It's a pretty convenient application, but I really, really, really wouldn't leave it directly accessible from the internet all the time. I don't know if it has exploits, a weak/broken security protocol, or simply doesn't have any anti-bruteforce mechanisms built-in, but something's definitely too weak.

162

General Software Discussion / Re: Favorite Tamper/Grease Monkey Scripts?

« Last post by f0dder on June 01, 2016, 05:00 PM »

Never crossed upon any general-purpose stuff for GreaseMonkey - the only 3rd-party site modification I use is F.B. Purity, which has probably gotten too big to be a GM/TM userscript.

I do use it for a few things of my own - like color-coding specific elements on some websites, folding out really stupid clientside pagination elsewhere, and I'm considering to do some fixups for the time-registration software we use at work. A coworker and I already did a CSS override that fixes some problems, but it's hard to maintain (the stupid system has too many html element changes on upgrades) and would probably be easier to handle with GM user script.

163

General Software Discussion / Re: What website has the fewest files?

« Last post by f0dder on June 01, 2016, 04:47 PM »

Learn HTML and stop being a dickhead.

-Tuxman (June 01, 2016, 04:20 PM)

There's only one dickhead in this thread.

164

General Software Discussion / Re: What website has the fewest files?

« Last post by f0dder on June 01, 2016, 04:08 PM »

Anyway, thanks for the replies.  It actually occurred to me that Word can save files as HTML... I might mess around with that.

-kunkel321 (June 01, 2016, 03:23 PM)

It generates some very bad HTML.

Perhaps you might be better off using a CMS instead of generating HTML files? But your link is 404, so I we can't see what your current stuff is like

165

General Software Discussion / Re: What website has the fewest files?

« Last post by f0dder on June 01, 2016, 03:02 PM »

Whoops, missed that one - SublimeText is worth its pretty low pricetag, though.

166

General Software Discussion / Re: What website has the fewest files?

« Last post by f0dder on June 01, 2016, 01:40 PM »

So the question:  What free tool can I use that will generate the fewest resource files?  I don't mind having a one-page site

-kunkel321 (June 01, 2016, 01:14 PM)

Notepad++ / SublimeText :-)

I also really wouldn't recommend using free hosting unless your site isn't very important to you. Remember the good old saying that if you're not paying, you're the product, not the customer.

167

Living Room / Re: Good or bad password?

« Last post by f0dder on May 25, 2016, 05:19 PM »

Is "Remember to pay gas Aug 14" a good passphrase? That depends a bit on your adversary. It's long, but all its components exists in dictionaries. Personally, I'd suggest adding some nonsense words - and not just go for obvious substitutions like S->$, E->3 and the likes, since bruteforcing tools handle those.

And use different passphrases for different accounts. Having a perfect, non-bruteforceable passphrase doesn't help you if you use it everywhere, and it turns out that one of those sites stores the password in plaintext or encrypted rather than (properly) hashed. Either use a password manager (protected with the memorizable passphrase) and generate long random strings for other sites, or (if you're afraid of getting the password database stolen and your passphrase keylogged), think up a couple of passphrases for different uses. Like sharing one for forums and other low-impact sites, but keeping separate passphrases for your bank, email accounts, facebook or whatever other high-risk sites.

And yes, facebook would be a high-risk site for normal people, since it can be used as a login mechanism several places, as well as for grabbing juicy information that can be used for social engineering attacks.

168

Living Room / Re: Goodbye to my father

« Last post by f0dder on May 25, 2016, 04:52 PM »

My sincere condolences, Mousey.

I wish I had something wise or eloquent to say, but I don't - so I'll just keep to this: it sounds like your dad was a really great person.

169

General Software Discussion / Re: Nice guide to using a RAM disk

« Last post by f0dder on May 09, 2016, 06:47 PM »

4wd: I used to love vramdir on win9x, it basically tried to cache as much of a folder/mountpoint in memory as possible - this worked extremely well, and wasn't a ramdisk as such. I assume ImDisk in dynamic mode still has a fixed upper limit and shows up with a drive letter? IMHO that's the worst of both worlds - you still impose a maxsize, you risk paging (if you set a maxsize that's too large), and even though you might get the disk hit penalty, you don't have persistant storage.

I would have thought you'd get a performance hit from doing that every few minutes though?

-4wd (May 08, 2016, 08:53 PM)

Not when you're only writing the changed parts

Sure, there's some overhead in dirty-tracking, but it works pretty well. What you get is a guarenteed max memory usage, guaranteed performance characteristics of the ramdrive, relatively-consistent behavior with performance you can reason about. It works very well for %temp% and data storage for a few applications - but I do need to do a little manual work every now and then for installers and whatnot.

The arragenment works pretty well, though. And if I need a ramdisk for temporary purposes (manipulating an ISO file or other kinds of virtual filesystem shenanigans, doing some raw manipulation on 100k web profiles, whatever) it's nice having a tool that lets me create a temporary ramdisk for that purpose, rather than having to reserve space for that all along (if ImDisk doesn't do this very smartly, just reserving the capacity takes a bunch of memory).

170

Developer's Corner / Re: Boost as a symbol for the npm'ness of C++

« Last post by f0dder on May 08, 2016, 04:02 PM »

As mwb1100 says, not everybody can use the latest-and-greatest compilers. It isn't necessarily about being conservative, but which platforms you have to support - whether that be commercial ones, old systems, cross-compilers for embedded devices or whatever.

Boost would also make sense if you use a large subset of it, or if you use some of the specialized stuff that aren't available elsewhere. And you don't have to build the entirety of it if you're only using parts, anyway, although going down that road quickly becomes hairy. That's one of the biggest C++ issues: header files and compilation units are sucky, it's a shame there's no module system.

In general, while not a super big fan of Boost because it's such a huge bast, I'm all for using 3rd-party code - if you need something (non-trivial) that somebody else has already written, there's a good chance you won't be doing a better job at re-implementing the wheel. And that's what usually separates the C++ crowd from the NodeJS crowd - the former tends to make informed decisions on what dependencies to take, whereas the latter pulls in anything... even doing those insane one-line-function dependencies.

171

General Software Discussion / Re: Nice guide to using a RAM disk

« Last post by f0dder on May 08, 2016, 03:05 PM »

Hm, dynamic sizing in ImDisk now? That sounds interesting. Last time I looked at ImDisk, it just seemed slightly weird and a bit too much bother. I wonder how well dynamic memory sizing works - pagefile usage (whether from ImDisk or paging out other applications) would probably be an unacceptable speed hit.

I've been using SoftPerfect RAM Disk for quite a while. It's easy to use, good featureset (persistent disks with flush-changes-every-N-minutes are crucial for me), and has good I/O performance

172

General Software Discussion / Re: Anyone using Blackbird?

« Last post by f0dder on May 08, 2016, 02:55 PM »

For this reason I do not install updates to the OS unless I have a specific problem and find an update that fixes it.  The only exception I make is service packs.  At least there is some effort to test after installing the service pack to see that all the fixes play together nicely.  With weekly bundles of updates there's no time for testing.

-MilesAhead (April 29, 2016, 08:09 AM)

I can understand what leads people to do this - but missing out on security fixes? Ugh.

173

Living Room / Re: Be prepared against ransomware viruses..

« Last post by f0dder on April 29, 2016, 06:38 AM »

Often, you talk out of your ass.

-f0dder (April 29, 2016, 06:25 AM)

That's, actually, disgusting.

-Tuxman (April 29, 2016, 06:31 AM)

You might want to take that to heart.

174

Living Room / Re: Be prepared against ransomware viruses..

« Last post by f0dder on April 29, 2016, 06:25 AM »

I love how people try to circumvent their own stupidity ("oh, a file attachment / a suddenly visible link / ..., I must open it!") with software. What could go wrong?
Obviously, stupidity makes a good market.

-Tuxman (April 29, 2016, 04:18 AM)

Sometimes it comes in the lovely package of drive-by exploits.
Sometimes it comes in tailor-made spear-phishing campaigns.

Often, you talk out of your ass.

175

General Software Discussion / Re: Homeland Security warns Windows PC users to uninstall Quicktime

« Last post by f0dder on April 23, 2016, 05:34 AM »

but now WMP won't play mp3's and mp4's, whereas VLC plays them, but I can find no way to minimize VLC either to partial screen or to systray (the lower right mini-icon row), and it hogs the whole screen.

-holt (April 22, 2016, 12:04 PM)

For video playing, go grab mpc-hc and never look back - you won't need to mess around with dodgy codec packs.

It also plays audio, but I prefer something more focused for that.