| --- Log opened Tue Nov 24 00:00:13 2015 |
| 00:17 | | Vornicus [Vorn@ServerAdministrator.Nightstar.Net] has joined #code |
| 00:18 | | mode/#code [+qo Vornicus Vornicus] by ChanServ |
| 00:33 | | catadroid` [catalyst@Nightstar-789mmk.dab.02.net] has joined #code |
| 00:33 | | catadroid [catalyst@Nightstar-789mmk.dab.02.net] has quit [A TLS packet with unexpected length was received.] |
| 00:53 | | anion [idonob@Nightstar-gmbj85.vs.shawcable.net] has quit [Ping timeout: 121 seconds] |
| 00:55 | | anion [idonob@Nightstar-gmbj85.vs.shawcable.net] has joined #code |
| 01:13 | | Crossfire [Z@Nightstar-r9lk5l.cust.comxnet.dk] has quit [Ping timeout: 121 seconds] |
| 01:37 | | himi [fow035@Nightstar-v37cpe.internode.on.net] has joined #code |
| 01:37 | | mode/#code [+o himi] by ChanServ |
| 02:26 | | ion [Owner@Nightstar-gmbj85.vs.shawcable.net] has quit [Ping timeout: 121 seconds] |
| 03:31 | | catadroid [catalyst@Nightstar-qlheh9.dab.02.net] has joined #code |
| 03:34 | | catadroid` [catalyst@Nightstar-789mmk.dab.02.net] has quit [Ping timeout: 121 seconds] |
| 04:12 | | Reiv [NSwebIRC@ServerAdministrator.Nightstar.Net] has quit [Ping timeout: 121 seconds] |
| 04:41 | | Vornotron [Vorn@ServerAdministrator.Nightstar.Net] has joined #code |
| 04:44 | | Vornicus [Vorn@ServerAdministrator.Nightstar.Net] has quit [Ping timeout: 121 seconds] |
| 04:50 | | Vornotron is now known as Vornicus |
| 04:50 | | mode/#code [+qo Vornicus Vornicus] by ChanServ |
| 05:03 | | Derakon is now known as Derakon[AFK] |
| 05:32 | | Kindamoody[zZz] is now known as Kindamoody |
| 05:51 | | Vornicus [Vorn@ServerAdministrator.Nightstar.Net] has quit [Connection closed] |
| 05:58 | | ion [Owner@Nightstar-gmbj85.vs.shawcable.net] has joined #code |
| 06:11 | | Meatyhandbag [sebastianfe@Nightstar-6cr.ldd.224.136.IP] has quit [Client exited] |
| 06:36 | | macdjord [macdjord@Nightstar-r9vt2h.mc.videotron.ca] has joined #code |
| 06:36 | | mode/#code [+o macdjord] by ChanServ |
| 07:14 | | celticminstrel [celticminst@Nightstar-uce74q.dsl.bell.ca] has quit [[NS] Quit: And lo! The computer falls into a deep sleep, to awake again some other day!] |
| 08:45 | | Kindamoody is now known as Kindamoody|afk |
| 09:07 | | VirusJTG [VirusJTG@Nightstar-055.kas.104.208.IP] has quit [Connection closed] |
| 09:27 | | anion [idonob@Nightstar-gmbj85.vs.shawcable.net] has quit [Ping timeout: 121 seconds] |
| 09:28 | | anion [idonob@Nightstar-gmbj85.vs.shawcable.net] has joined #code |
| 09:34 | | Crossfire [Z@Nightstar-r9lk5l.cust.comxnet.dk] has joined #code |
| 09:34 | | mode/#code [+o Crossfire] by ChanServ |
| 10:01 | | catadroid` [catalyst@Nightstar-ee22qp.dab.02.net] has joined #code |
| 10:04 | | catadroid [catalyst@Nightstar-qlheh9.dab.02.net] has quit [Ping timeout: 121 seconds] |
| 10:17 | | catadroid [catalyst@Nightstar-ee22qp.dab.02.net] has joined #code |
| 10:17 | | catadroid` [catalyst@Nightstar-ee22qp.dab.02.net] has quit [Connection closed] |
| 10:53 | | You're now known as TheWatcher[d00m] |
| 11:42 | | catadroid [catalyst@Nightstar-ee22qp.dab.02.net] has quit [[NS] Quit: Bye] |
| 11:42 | | catadroid [catalyst@Nightstar-6ic2ak.dab.02.net] has joined #code |
| 12:08 | | Emmy-zZz is now known as Emmy |
| 13:15 | | You're now known as TheWatcher |
| 13:35 | | VirusJTG [VirusJTG@Nightstar-6i5vf7.sta.comporium.net] has joined #code |
| 13:39 | | anion [idonob@Nightstar-gmbj85.vs.shawcable.net] has quit [Ping timeout: 121 seconds] |
| 14:04 | | * TheWatcher readsup, has jsut noticed what cata said yesterday, facepalms |
| 14:11 | | macdjord is now known as macdjord|wurk |
| 14:16 | < catadroid> | Which bit? |
| 14:16 | < catadroid> | Heh |
| 14:18 | <@TheWatcher> | < catadroid> I don't think they gets it |
| 14:18 | <@TheWatcher> | That bit :P |
| 14:21 | < catadroid> | Ah |
| 14:21 | < catadroid> | :p |
| 14:37 | <@TheWatcher> | ... I swear that this student has run a script that does $line = (" " x rand(16)).$line; for each line. |
| 15:14 | < catadroid> | How exciting |
| 15:37 | | Meatyhandbag [sebastianfe@Nightstar-6cr.ldd.224.136.IP] has joined #code |
| 15:56 | <&McMartin> | Why is use of gets() not a compiler error by default yet |
| 15:56 | <&McMartin> | I mean, seriously |
| 16:31 | | catadroid` [catalyst@Nightstar-7356ik.dab.02.net] has joined #code |
| 16:33 | | catadroid [catalyst@Nightstar-6ic2ak.dab.02.net] has quit [Ping timeout: 121 seconds] |
| 16:43 | | anion [idonob@Nightstar-gmbj85.vs.shawcable.net] has joined #code |
| 16:58 | <@Tamber> | McM: At the very least, it should be a bloody huge warning. :( |
| 16:59 | | Emmy is now known as Emmy-Noms |
| 17:10 | | catadroid` is now known as catadroid |
| 17:20 | | catadroid` [catalyst@Nightstar-6mha30.dab.02.net] has joined #code |
| 17:20 | | catadroid [catalyst@Nightstar-7356ik.dab.02.net] has quit [A TLS packet with unexpected length was received.] |
| 17:36 | | Emmy-Noms is now known as Emmy |
| 18:05 | | Derakon [chriswei@Nightstar-5mvs4e.ca.comcast.net] has joined #code |
| 18:05 | | mode/#code [+ao Derakon Derakon] by ChanServ |
| 18:06 | <&McMartin> | Tamber: Have you seen its man page by any chance~ |
| 18:06 | <&McMartin> | "Description: Never use this function." |
| 18:06 | <@Tamber> | Implying that the kind of person to use gets() reads documentation... |
| 18:06 | <&McMartin> | How else do you find out about it? |
| 18:07 | <@Tamber> | It's in the code fragment that they copy & pasted off someone's website. :) |
| 18:07 | <@abudhabi> | McMartin: Man sprintf? |
| 18:08 | <&Derakon> | Note that you have to scroll down to the "Bugs" section to notice that. |
| 18:09 | <&McMartin> | Derakon: Not in the Linux man pages. |
| 18:10 | <&McMartin> | It is literally the first complete sentence in the man page here, boldfaced and underlined. |
| 18:10 | <&Derakon> | I was looking at http://linux.die.net/man/3/gets |
| 18:10 | <@Tamber> | << DESCRIPTION \n _Never use this function_. >> here. |
| 18:10 | <&Derakon> | The OSX man page just says "The gets() function cannot be used securely... It is strongly suggested that the fgets() function be used in all cases." |
| 18:11 | <&Derakon> | (And, again, that's further down the page) |
| 18:11 | <&McMartin> | Yeah |
| 18:11 | <&McMartin> | Whichever set of man pages ships with fedora is... more forceful. |
| 18:11 | <&McMartin> | In addition to opening with NEVER USE THIS FUNCTION. the return value includes "there is no guarantee this function will ever return." |
| 18:12 | <&Derakon> | Hey, changing the subject, I want to add a feature to our program that allows it to send information to a central server. |
| 18:12 | <&Derakon> | Where do I start doing the necessary research? |
| 18:12 | <&McMartin> | Uh |
| 18:13 | <&McMartin> | In the sense of "how do I use java.net.Socket" or in the sense of "how do I set up an application server"? |
| 18:13 | <&Derakon> | Heh. |
| 18:13 | <&Derakon> | Let's leave the setup logistics and specific language features aside for the moment. I'm mostly looking for "how manual do I have to be about transfer of data?". |
| 18:14 | <&Derakon> | Assume I can represent the notification as a JSON object. Can I just kind of blob it up and send it as a single action to a server? |
| 18:14 | <&McMartin> | Sure, make it be an HTTP POST request or something. |
| 18:14 | <&Derakon> | Do I need to split it into packets myself? |
| 18:14 | <&McMartin> | Pretty much everyone represents network connections as stream-like objects. |
| 18:15 | <&Derakon> | And the relevant libraries handle handshaking, dropped connections, etc. cleanly? |
| 18:15 | <&McMartin> | You should be able to find a quality implementation of the HTTP protocol for any language. |
| 18:15 | <&Derakon> | Okay, cool. |
| 18:15 | <&McMartin> | "cleanly" may mean "throws an exception when you try" - networking is inherently messy - but this is by and large a solved problem |
| 18:15 | <&McMartin> | Unless you're using C++. =( |
| 18:15 | <&Derakon> | Yes, exceptions are fine. |
| 18:15 | <&Derakon> | "Something went wrong when you tried to do that" is an expected failure mode. |
| 18:16 | <&McMartin> | libcurl is made almost entirely of spiders and every alternative I've tried to use has been either hilariously broken, hilariously incomplete, or both.. |
| 18:16 | <&Derakon> | Hooray! |
| 18:16 | <&Derakon> | Okay, so second step then is handling that notification server-side. |
| 18:16 | <&Derakon> | The eventual goal here is to send an email, text, etc. to the user of the program when specific triggers occur. |
| 18:16 | <&Derakon> | E.g. "hey, your data finished collecting! Here's a screenshot!" |
| 18:17 | <&Derakon> | This potentially involves using resources that we have to pay for. |
| 18:17 | <&Derakon> | So ideally I don't want people cracking the protocol and sending themselves free texts with it~ |
| 18:17 | <&Derakon> | Basic authentication is also something I have not worked with in a long time. |
| 18:17 | <&Derakon> | Our paid users will presumably get token strings that they need to plug into their copies of the program in order to use this feature. |
| 18:18 | <&McMartin> | Doing that right is harder than Dude Ranting On The Internet (viz me) should be talking about |
| 18:18 | <&Derakon> | I guess the approach is to use that token as the public portion of a public/private key pair? |
| 18:18 | <&McMartin> | I suspect that something like an API key ends up used for this |
| 18:18 | <&Derakon> | Yes, it does seem similar in concept. |
| 18:18 | <&McMartin> | aka "those bits of Twitter that people kept accidentally committing to their GitHub repos" |
| 18:18 | <&Derakon> | Encrypt the notification using the public key, send it to the server, server uses the private key to decrypt. |
| 18:18 | <&Derakon> | Heh, yes. |
| 18:18 | <&Derakon> | Fortunately the server-side code is a completely different project and can go in our private repository. |
| 18:19 | <&Derakon> | Keeping in mind that security details are notoriously easy to get wrong, does anything I've said look obviously wrong? |
| 18:19 | <&Derakon> | s/get wrong/get wrong in subtle ways/ |
| 18:21 | | himi [fow035@Nightstar-v37cpe.internode.on.net] has quit [Ping timeout: 121 seconds] |
| 18:32 | <&McMartin> | Is this any better than, If you're allowing them to have a secret (the public key), give each customer a username/password? |
| 18:32 | <&McMartin> | That's also nice because it's easier to do partial revokes, unlike someone making the public key, well, public. |
| 18:33 | <&Derakon> | Actually hashing it out a bit more as I write it out, I've tweaked it. |
| 18:33 | <&Derakon> | New design, the server has 3 valid interactions |
| 18:34 | <&Derakon> | 1) Get the server's current public key. |
| 18:34 | <&Derakon> | 2) Get a challenge token for a given client ID. This returns a random string that has been encrypted with the client's public key. |
| 18:34 | <&Derakon> | 3) Post a notification. This includes the client's ID, the decrypted random string, and a JSON string encrypted with the server's public key. |
| 18:35 | <&Derakon> | The random strings are used once-only (presumably also with a timeout), so the server verifies that the client responded to the challenge with the right string, and if so decrypts the JSON and takes action based on what it finds. |
| 18:35 | <&Derakon> | We can revoke a client's ID and just stop accepting their requests at any time -- all interactions should include the client ID. |
| 18:37 | | anion [idonob@Nightstar-gmbj85.vs.shawcable.net] has quit [Connection closed] |
| 18:39 | <&Derakon> | This feels like it should be fairly simple to implement. |
| 18:40 | <&Derakon> | I worry that I'm thinking "man, security is easy" and missing the gaping pothole right underneath my leading foot... |
| 18:41 | <&Derakon> | I'll probably ask SA's programming thread about a sanitized version of this design. |
| 18:55 | | celticminstrel [celticminst@Nightstar-uce74q.dsl.bell.ca] has joined #code |
| 18:55 | | mode/#code [+o celticminstrel] by ChanServ |
| 19:00 | | abudhabi is now known as Wulfric |
| 19:24 | <&ToxicFrog> | Re: gets man page: this appears to be a relatively recent update; the man pages on my work machine say "Never use gets()" under BUGS, while the ones at home say "NEVER USE THIS FUNCTION" as McM describes. |
| 19:26 | <&ToxicFrog> | Derakon: the actual transport side of things, as McM says, is generally a solved problem. (libcurl is indeed full of spiders, but often "incomplete but less full of spiders" is good enough; e.g. luasocket does a lot less than libcurl does, but 99% of the time it does enough for my purposes.) |
| 19:27 | <&ToxicFrog> | The security side is extremely easy to get wrong and the general wisdom here is "don't roll out own, use an existing framework or library written by someone who actually understands this stuff" |
| 19:27 | <&Derakon> | Yeah, I'm more interested in "how do we know that the user is allowed to use the service" than I am in the details of how to actually encrypt something. |
| 19:27 | <&ToxicFrog> | (and off the top of my head I'm not sure what (1) is even for) |
| 19:28 | <&Derakon> | Allowing the server's public/private key pair to be updated? |
| 19:28 | <&ToxicFrog> | What's the end goal there? |
| 19:29 | <&ToxicFrog> | Like, if it's "make sure that the client is talking to the server it thinks it is", that's what HTTPS certificates are for and the library should be handling that. |
| 19:31 | | Meatyhandbag [sebastianfe@Nightstar-6cr.ldd.224.136.IP] has quit [Client exited] |
| 19:31 | <&Derakon> | Righto, that's basically what it was for. |
| 19:31 | <&Derakon> | That or "the server got compromised, but we replaced it, and we don't want our user's information to be decryptable." |
| 19:37 | <&Derakon> | Agh, the wifi is being abominable today. Be glad I'm connecting through my home computer~ |
| 19:37 | | catalyst [catalyst@Nightstar-bt5k4h.81.in-addr.arpa] has joined #code |
| 19:42 | | celticminstrel [celticminst@Nightstar-uce74q.dsl.bell.ca] has quit [[NS] Quit: KABOOM! It seems that I have exploded. Please wait while I reinstall the universe.] |
| 19:42 | | celticminstrel [celticminst@Nightstar-uce74q.dsl.bell.ca] has joined #code |
| 19:43 | | mode/#code [+o celticminstrel] by ChanServ |
| 19:44 | | Meatyhandbag [sebastianfe@Nightstar-6cr.ldd.224.136.IP] has joined #code |
| 19:51 | <&ToxicFrog> | Derakon: so, for encrypting data in motion or verifying the server identity, https+certificate is almost certainly what you want and once you have the cert the underlying HTTP library should handle that more or less seamlessly, with some sort of exception if things go wrong. |
| 19:51 | <&ToxicFrog> | Encrypting data at rest is a different problem and one that I'm not even slightly qualified to talk about. |
| 20:01 | | Derakon [chriswei@Nightstar-5mvs4e.ca.comcast.net] has quit [Connection closed] |
| 20:01 | | Derakon [chriswei@Nightstar-5mvs4e.ca.comcast.net] has joined #code |
| 20:15 | | Reiv [NSwebIRC@Nightstar-q8avec.kinect.net.nz] has joined #code |
| 20:15 | | mode/#code [+o Reiv] by ChanServ |
| 21:03 | | himi [fow035@Nightstar-v37cpe.internode.on.net] has joined #code |
| 21:03 | | mode/#code [+o himi] by ChanServ |
| 22:18 | | Kindamoody|afk is now known as Kindamoody |
| 22:18 | | catadroid [catalyst@Nightstar-6mha30.dab.02.net] has joined #code |
| 22:18 | | catadroid` [catalyst@Nightstar-6mha30.dab.02.net] has quit [Connection closed] |
| 22:41 | | froztbyte [froztbyte@Nightstar-pk8.hnb.10.85.IP] has quit [Z-Lined: Your IP range has been attempting to connect too many times in too short a duration. Wait a while, and you will be able to connect.] |
| 22:51 | | froztbyte [froztbyte@Nightstar-frrora.za.net] has joined #code |
| 22:51 | | mode/#code [+o froztbyte] by ChanServ |
| 23:02 | | catadroid` [catalyst@Nightstar-pie2mk.dab.02.net] has joined #code |
| 23:04 | | catadroid [catalyst@Nightstar-6mha30.dab.02.net] has quit [Ping timeout: 121 seconds] |
| 23:05 | | Kindamoody is now known as Kindamoody[zZz] |
| 23:18 | | catalyst [catalyst@Nightstar-bt5k4h.81.in-addr.arpa] has quit [[NS] Quit: ] |
| 23:57 | | Vornicus [Vorn@ServerAdministrator.Nightstar.Net] has joined #code |
| 23:57 | | mode/#code [+qo Vornicus Vornicus] by ChanServ |
| --- Log closed Wed Nov 25 00:00:29 2015 |