Domain: dlitz.net
Stories and comments across the archive that link to dlitz.net.
Comments · 21
-
Re:You know...
Every time I go to pastebin.com and look at the hacked sites the passwords are always weak, extremely weak
No surprise there.
, virtually no one uses strong passwords.
Non sequitur. The published passwords are weak because that's the passwords that were easily cracked. Those who have strong passwords are underrepresented on the lists precisely because they have stronger passwords so they weren't brute-forced easily.
Sure, but every now and then, some *site* uses a poor hash, which allows people like me to do research on password strength and frequency. These results don't exhibit the selection bias you're talking about, because they're a full dump of passwords on the site. This is just for one specific site, but I found that 36% of all passwords were easily discoverable using a rainbow table, 33% of passwords weren't unique, and 1 in 72 users had the password "super123" for some reason.
I actually had a list of email addresses and their corresponding passwords for the site. I wouldn't be surprised if a lot of these passwords could also be used to get access to their corresponding GMail/Yahoo/Hotmail accounts (but I didn't test it out, because I enjoy not being in jail).
-
Re:32 years?
I lost data as a result of bzr not supporting history rewriting. As far as I can tell, it's still not supported.
I have never lost data that has been committed to a git repository, even though my build of git-svn occasionally segfaults on me.
-
Re:bzr vs. git?
I switched from bzr to git after I lost data to bzr-rebase. It was partly my own fault, but it wouldn't have happened if I had been able to easily rewrite the history, since then I would have been committing stuff more often.
I'd rather use git-svn than touch bzr ever again.
-
Shameless plug (was: PONG)
Want to play pong? Download my pong clone.
-
Re:The Cross Site Scripting FAQ
I particularly like this example.
Here's the spoiler.
-
Re:The Cross Site Scripting FAQ
I particularly like this example.
Here's the spoiler.
-
Re:If you use PHP....
The main fault of PHP is that it lowers the educational cost of entry to the point that incompetent people can build functional but insecure code.
Well, that's one of its problems, but that's hardly what I'd call its main fault. Though I use it quite a bit, PHP is not an easy-to-use language if you care about correctness, robustness or security. I have a webpage that lists, in point form, some of the criticisms of PHP that I have accumulated over the last few years. The page is about PHP 4, since that's still what my customers' systems are using, but some of the criticisms apply to PHP 5 as well.
-
Re:Monked
Again with the malicious code?
-
Re:This is why...Speaking of which, is there a way to do this in PHP? I've never seen a PHP script that did anything like this (which is probably why bugtraq is 99% php SQL injection holes).
Most people probably aren't aware of it, but several years ago, I wrote a few short scripts for PHP 4 that specifically address this problem. Currently-supported database backends are MySQL and anything that DBX supports, but it wouldn't take much to adapt it to PostgreSQL.
It basically lets you write code like this:
require_once "mysqlext.php";
$link = mysql_connect(...);
$results = mysql_execute($link, "SELECT a,b,c FROM foo WHERE bar=? and baz=?", array($bar, $baz));It doesn't have the performance benefits that real prepared statements have, but I still find it handy for typical PHP4 database work.
The code is released under the MIT license, so feel free to use it.
-
Shameless self promotion
Shameless self promotion: Download a Pong clone today!
-
Re:Slang should be avoided? WTF
tRe:Slang should be avoided? WTF
Re:Slang should be avoided? WTF (Score:2)
by Dwonis (52652) * on Sunday June 12, @10:44PM (#12799391)
(http://www.dlitz.net/go/contact/)N o... No more "Woot! I am leet haxor. I pwn noobs!"
[ Reply to This ]
Post Comment
You are not logged in. You can log in now using the convenient form below, or Create an Account, or post as Anonymous -
Gotta love the .sig
Chances are anyone that would blindly run perl from a
.sig on Slashdot has already learned this the hard way:
http://www.dlitz.net/stuff/malicious-perl-sig/ -
Re:DO NOT EXECUTE PREVIOUS SIGAlmost right. It does rm -rf ~ instead, which is perhaps worse as it's more likely to work
:-)Heh. rm -rf
/ gets to your home directory quicker than you would think...I guess I missed the ~ part. I parsed another, very similar sig here, so after a quick glance, I just assumed they were identical.
-
Re: Where's the catch?
-
Re: Where's the catch?
-
WARNING: Parent's sig is malicious
As an AC poster pointed out, the parent's 'sig' executes rm -rf
/I tried to post an analysis, but I kept getting hit by the lameness filter, so I posted the analysis to http://www.dlitz.net/stuff/malicious-perl-sig/
Hint: If you're somewhat familiar with Perl, try doing the analysis yourself. The code is actually not anywhere near as complicated as it looks.
-
PDF version
The PDF file (created using OpenOffice.org) is here (8.7 MB
.torrent). -
Re:Why not
-
Welcome to the world of cryptoI don't mean to be insulting or anything, it's just clear that you have very little knowledge of how public key crpytography and one-way hash functions work.
One-way hash functions: In a nutshell, a one-way hash function is a function that takes a variable-length string of input data and returns a fixed-length string (the hash) that represents it. Due to the mathematics involved, it is computationally infeasible to derive a different input string that will evaluate to the same hash. The same input data always produces the same hash.
Symmetric (a.k.a. "secret key") Cryptography: Basically, you take two inputs, the "plaintext" and the "key", and you feed them through an algorithm to get the output ("ciphertext") that looks like jibberish (a process called "encryption"). You can then take the ciphertext and the same key, feed them through the inverse algorithm, and get the original plaintext (a process called "decryption").
Asymmetric (a.k.a. "public key") Cryptography: It's just like symmetric cryptography, except instead of using the same key for both encryption and decryption, you use two different but related keys -- one for encryption and one for decryption. You call one of these keys "private" and you never let anyone see it. You call the other key "public" and you distribute it to everyone.
Other people can encrypt data using your public key, and that data can only be decrypted using your private key. The other thing you can do is encrypt data using your private key, so that it can only be decrypted using your public key.
But what use is that, you say? Well, you can encrypt the hash of the program you're signing using your private key, and distribute the resulting cyphertext with your program. If other people want to verify that your program is authentic, they can compute their own hash of your program, and then decrypt the cyphertext of the hash you computed. If both hashes are the same, then your program is verified, because only someone with your private key could have generated that cyphertext.
This is how all digital signature systems work.
For more information (especially if I confused you), see An Introduction to Cryptography (PDF), which explains it much better that I can.
-
The Amiga WILL surviveI think the Amiga will survive. Why? Because something that has been beaten and whipped as many times as the Amiga without dying by now will probably continue to live on until it goes mainstream.
The Amiga is a computer that's not a PITA to use. One of the rare Amiga commercials said, "What does it do? Well, what you want it to do," and this is so blatently true it's hard for an outsider to imagine. No other mainstream computer has ever had this property, so people will continue to admire the Amiga until this happens.
The Amiga is not dead because there are too many Amiga users who are too dumb to know that their computer is dead.
;-P
------ -
Re:perhaps it's off topic but
Perhaps you'll like to visit my web site. It's all HTML 4.01 validated and compliant.
--------
Genius dies of the same blow that destroys liberty.