[QUOTE=garry;39956110]Can anyone spot any glaring errors in this?
[img]http://puu.sh/2jP61[/img][/QUOTE]
Isn't this a perfect use case for regular expressions?
Try this little regex: (-|\+)?[0-9]+(\.[0-9]+)?
Allows - and + at the start, but it's fine without.
Followed by a characters '0' to '9', at least one needed.
When we hit a '.' there needs to be another combination of at least one '0' to '9'
Could easily be extended for "support for those stupid numbers ending with E": (-|\+)?[0-9]+(\.[0-9]+)?((E|e)(-|\+)?[0-9]+)?
[QUOTE=Ziks;39956836]Sometimes it could cause problems to support European style (1,234 vs 1.234), and it would be better to only support one style.[/QUOTE]
Please. That's just laziness. This attitude is why we have programs that barely support anything other than English. The real mistake garry is doing here is not relying on a library to do the heavy lifting.
[QUOTE=gparent;39956886]Please. That's just laziness. This attitude is why we have programs that barely support anything other than English. The real mistake garry is doing here is not relying on a library to do the heavy lifting.[/QUOTE]
Sure, if you are developing the entire system from scratch then it would be nicer to support both. The problem in my instance was that I couldn't rewrite valve's BSP compiler and Hammer to allow both. Also, if you have a list of numbers separated by commas, then it would be pretty difficult do parse both of these to be the same list of numbers:
[code]1.263,67.23,83,12.0,52
1,263,67,23,83,12,0,52[/code]
Sure, you could argue to use a different separator, but what if you couldn't make that decision because the file format was already specified?
[QUOTE=DrLuckyLuke;39956846]Use 1.234, because 1,234 is retarded (and that's coming from a german!)[/QUOTE]
Only if you're reading/writing a file format.
Otherwise most users would expect the decimal comma to work, as it's the only format supported by most applications in a non-English European locale.
Also, I was always thinking about reading and writing files. For stuff like a text input box I can see no problem with supporting both.
[QUOTE=DrLuckyLuke;39956846]Use 1.234, because 1,234 is retarded (and that's coming from a german!)[/QUOTE]
I think we think differently because of programming, if you'd ask a random person on the street there's a very good chance they'd disagree with you.
Besides, the decimal comma is the official format and I doubt you'd be able to use a point instead in any government or banking application.
[QUOTE=Borsty;39956879]Isn't this a perfect use case for regular expressions?
Try this little regex: (-|\+)?[0-9]+(\.[0-9]+)?
Allows - and + at the start, but it's fine without.
Followed by a characters '0' to '9', at least one needed.
When we hit a '.' there needs to be another combination of at least one '0' to '9'
Could easily be extended for "support for those stupid numbers ending with E": (-|\+)?[0-9]+(\.[0-9]+)?((E|e)[0-9]+)?[/QUOTE]
Regex is like black wizardry to me. I just can't comprehend it. :v:
[QUOTE=BlkDucky;39957022]Regex is like black wizardry to me. I just can't comprehend it. :v:[/QUOTE]
[url]http://www.regular-expressions.info/reference.html[/url]
You're welcome.
[QUOTE=Ziks;39956413][QUOTE=garry;39956260]Where would the email have come from?[/QUOTE]
metapyziks(at)gmail.com to jobs(at)facepunchstudios.com[/QUOTE]
It might have gone into spam because there were a lot of links. Sorry for being quite insistent but I'm reasonably anxious for a response.
I may be missing something, but why not just use English separators to load the file and commas everywhere else?
[QUOTE=BlkDucky;39957022]Regex is like black wizardry to me. I just can't comprehend it. :v:[/QUOTE]
Here's the equivalent written out (in Java)
[cpp]
static boolean IsNumber( char str[] ) {
int i = 0, o;
int len = str.length;
// (-|\+)?
if (i < len && (str[i] == '-' || str[i] == '+'))
i++;
// [0-9]+
o = 0;
while(i < len && str[i] >= '0' && str[i] <= '9') {
o++;
i++;
}
if (o == 0)
return false;
// (\.[0-9]+)?
if (i < len && (str[i] == '.')) {
i++;
o = 0;
while(i < len && str[i] >= '0' && str[i] <= '9') {
o++;
i++;
}
if (o == 0)
return false;
}
/// ((E|e)(-|\+)?[0-9]+)?
if (i < len && (str[i] == 'e' || str[i] == 'E')) {
i++;
if (i < len && (str[i] == '-' || str[i] == '+')) i++;
o = 0;
while(i < len && str[i] >= '0' && str[i] <= '9') {
o++;
i++;
}
if (o == 0)
return false;
}
return (i == len);
}
[/cpp]
[b]Edit[/b]
Forgot that there can be negative exponentials too, code changed, new regex would be: (-|\+)?[0-9]+(\.[0-9]+)?((E|e)(-|\+)?[0-9]+)?
[QUOTE=garry;39956110]Can anyone spot any glaring errors in this?
[img]http://puu.sh/2jP61[/img][/QUOTE]
[img]https://dl.dropbox.com/u/10518681/Screenshots/2013-03-18_15-00-11.png[/img]
Should that be an == rather than !=
[QUOTE=Deco Da Man;39956540]Awaiting KNIGHT GAME: MOBILE.
Put it on the app store; I'd buy it.[/QUOTE]
there's going to be a kg easter egg in vertex adventure
[editline]18th March 2013[/editline]
I'm going to post this here on the argument that this is more programming than web development, considering its ability to be ported as well... but does anyone here know anything about implementing security/session tokens for websites?
I'm writing some software called [url=https://github.com/andrewmcwatters/OpenUser]OpenUser[/url], because I'm frustrated that there isn't really any user account management library out there in PHP that does all the work for you (besides maybe Usercake, which is terrible). I've got a terrible security issue with the software at the moment, however.
The system works off of the premise that once you've been verified for login, your username and digest authentication are set as cookies. Which is somewhat okay (not really), but if your cookies were ever to be stolen, any thief would have permanent access to your account, lest your password was ever changed. I'd like to implement some sort of session cookie mechanic, but I've looked into it and haven't read anything substantial on the conventional method of implementation.
[QUOTE=DrLuckyLuke;39956846]Use 1.234, because 1,234 is retarded (and that's coming from a german!)[/QUOTE]
[QUOTE=Dlaor-guy;39956876]I'm Dutch and I also agree using , for decimals is incredibly dumb.[/QUOTE]
I'm Norwegian, and while I agree to using periods for stuff like programming and math, when speaking, it's more natural for me to use a comma, and so I'll probably do so when writing texts. That could just be the way I was taught it, though.
[QUOTE=acpm;39957336]there's going to be a kg easter egg in vertex adventure
[editline]18th March 2013[/editline]
I'm going to post this here on the argument that this is more programming than web development, considering its ability to be ported as well... but does anyone here know anything about implementing security/session tokens for websites?
I'm writing some software called [URL="https://github.com/andrewmcwatters/OpenUser"]OpenUser[/URL], because I'm frustrated that there isn't really any user account management library out there in PHP that does all the work for you (besides maybe Usercake, which is terrible). I've got a terrible security issue with the software at the moment, however.
The system works off of the premise that once you've been verified for login, your username and digest authentication are set as cookies. Which is somewhat okay (not really), but if your cookies were ever to be stolen, any thief would have permanent access to your account, lest your password was ever changed. I'd like to implement some sort of session cookie mechanic, but I've looked into it and haven't read anything substantial on the conventional method of implementation.[/QUOTE]
Normally you'd just take a sufficiently long [B]truly random[/B] number and store it as authentication for an account, then give it to the client and store it in a cookie. If the client logs off or on from a different system you delete the old number in your database.
Alternatively, you can have a time out on the tokens and a "close all other sessions" function somewhere the user can access. Changing the password should invalidate all sessions.
You don't have to store any other information on the client, if the token is long enough you shouldn't have to worry about collisions.
I guess the thing I'm concerned with the most is something that might end up being pointless to try and protect in the first place, which is an unencrypted connection.
Currently, even by using digest access authentication over basic access authentication, I'm submitting username and password information over the wire which could be used by an attacker to login somewhere else and retrieve a valid session token. That information could immediately be used to access the user's account, but not reset a password since that still goes through email verification.
So the reason I've been asking around is, isn't it futile regardless? All I would be doing is ensuring that instead of giving the attacker permanent access to someone's account, they have temporary access because that current session was stolen, but logging in (again) or logging out invalidates it, and a MITM attack would be needed to gather the account information once again.
[editline]18th March 2013[/editline]
Which also is sort of pointless, because if they have the digest, they can reauthenticate as often as they want until the victim resets their password...
[editline]18th March 2013[/editline]
I don't know, I think that's better than permanently stolen access, at least.
The only proper protection against MITM is an encrypted connection that authenticates the server, otherwise you really can't do much.
And if an attacker can reauthenticate with the digest you're doing something seriously wrong.
So I fixed the obj reading errors with the sponza model I mentioned in my earlier post.
It's just that I got tired of the time it took to load the model. Sure I could probably make it load faster but
the obj format is slow no matter what you do and I'm not so sure I want to use the obj format since I want to try animations and obj doesn't support animations.
This is why I made a model myself just to get rid of the loading time. I'm no artist but I'm fairly satisfied with the result anyway.
Few drawcalls and it loads fast. Used Milkshape since it's the only 3D editor I'm familiar with.
Made a large hangar, big open space for testing and science.
[img]http://oi47.tinypic.com/2i9jewp.jpg[/img]
Managed to make some texture animations as well.
[media]http://www.youtube.com/watch?v=k2wR9WiTXBk[/media]
The cop isn't very pleased.
Maybe it's because I didn't add any doors to the hangar, maybe he doesn't like his co-worker, we may never know.
[QUOTE=Tamschi;39958459]And if an attacker can reauthenticate with the digest you're doing something seriously wrong.[/QUOTE]
With a MITM attack, they'd be able to reauthenticate with the digest because the digest generates the session id; the digest is still essentially the password, just hashed. It's at that point the user would have the chance to change their password if they were aware of their account being hijacked or if a warning was sent to them due to someone logging in from an unauthorized location, somehow identified through a form of multi-factor authentication.
[editline]18th March 2013[/editline]
Ultimately you're right though, you basically must have an encrypted connection to really be safe from these things.
[QUOTE=acpm;39960704]With a MITM attack, they'd be able to reauthenticate with the digest because the digest generates the session id; the digest is still essentially the password, just hashed. It's at that point the user would have the chance to change their password if they were aware of their account being hijacked or if a warning was sent to them due to someone logging in from an unauthorized location, somehow identified through a form of multi-factor authentication.
[editline]18th March 2013[/editline]
Ultimately you're right though, you basically must have an encrypted connection to really be safe from these things.[/QUOTE]
OK, you're doing digest access authentication wrong.
Logging in with a hashed password is useless, you could just send plaintext and it wouldn't be less secure. (Unless a user uses their password on multiple sites, but that a different problem.)
You're supposed to send a nonce to the client and modify the password with that before hashing on the client, then the server can compare the hash to the expected result and a passive MITM can't get any persistent credentials.
No idea if this works that way if the server doesn't store plaintext passwords, if there's no algorithm for that you could always use temporary key pairs and send the public key instead of the nonce.
[QUOTE=acpm;39960704]With a MITM attack, they'd be able to reauthenticate with the digest because the digest generates the session id; the digest is still essentially the password, just hashed.[/QUOTE]
Aren't you supposed to hash the password with a nonce?
[editline]18th March 2013[/editline]
[QUOTE=Tamschi;39960954]No idea if this works that way if the server doesn't store plaintext passwords, if there's no algorithm for that you could always use temporary key pairs and send the public key instead of the nonce.[/QUOTE]
iirc if you have a SHA hash you can work out the result of the original text + something else with relative ease.
Websites should really start to force TLS for logged-in users. There's no browser I know of that doesn't support it.
[csharp]list = [1, 2, 3, 4, 5, 6];
list.count = 5;
printLine list.count;
printLine (list.at 2);[/csharp]
Made a relatively small update to my language, opened a whole new world. Anyways, types, instances and instance scopes are a thing now.
List's count is a ProxyValue that acts as a getter/setter. It doesn't have a set value, but instead calls a method that gets a new value. In this case, it returns the size of a c# list that it encapsulates. I've also added a setter for it that truncates the tail of the list after the nth member.
[QUOTE=Lexic;39960999][...]
iirc if you have a SHA hash you can work out the result of the original text + something else with relative ease.[/QUOTE]
I think if the server doesn't store the plaintext password it would have to reverse the hash from the client and hash the restored plaintext to compare it to the database.
I don't think that's possible, the only mechanism that wouldn't give a passive MITM the password while keeping it off the server's storage would be public key cryptography.
[editline]manual merge[/editline]
I'm going back to manually merging posts.
[QUOTE=Tamschi;39961088]Websites should really start to force TLS for logged-in users. There's no browser I know of that doesn't support it.[/QUOTE]
You gotta purchase a moderately expensive cert for that though don't you?
[editline]18th March 2013[/editline]
[QUOTE=Tamschi;39961255]I think if the server doesn't store the plaintext password it would have to reverse the hash from the client and hash the restored plaintext to compare it to the database.
I don't think that's possible, the only mechanism that wouldn't give a passive MITM the password while keeping it off the server's storage would be public key cryptography.[/QUOTE]
[url=http://benlog.com/articles/2008/06/19/dont-hash-secrets/]Don't hash secrets[/url]
[quote]Here’s the deal: if I tell you that SHA1(foo) is X, then it turns out, in a lot of cases, to be quite easy for you to determine what SHA1(foo || bar) is. You don’t need to know what foo is. It’s just that, because SHA1 is iterative and works block by block, if you know the hash of foo, then you can extend the computation to determine the hash of foo || bar.[/quote]
([url=http://en.wikipedia.org/wiki/SHA-1#Cryptanalysis_and_validation]wikipedia has a far more dry version of that same statement[/url])
I'm not sure how true that is admittedly, but it seems to me that if the server knows what SHA1('mysecretpassword') is and it sends 'mysecretnonce' to the client, if the client sends back SHA1(SHA1('mysecretpassword' || 'mysecretnonce')) the server can work out SHA1(blackmagic(SHA1('mysecretpassword), 'mysecretnonce')) and see if they match.
[QUOTE=Lexic;39961279]You gotta purchase a moderately expensive cert for that though don't you?[/QUOTE]
Not really, you can create one yourself and explain to the user that they should click on import in the message box that pops up (and shouldn't import on a non-trusted network). A lot small tech websites do that.
Buying a cert only removes the user interaction, but I can see why that's important from a UX point of view.
[QUOTE=Tamschi;39961394]Not really, you can create one yourself and explain to the user that they should click on import in the message box that pops up (and shouldn't import on a non-trusted network). A lot small tech websites do that.[/QUOTE]
Removing the CA system from the trust chain is not going to be particularly helpful at stopping MITM attacks, just sayin.
[QUOTE=Lexic;39961279][URL="http://benlog.com/articles/2008/06/19/dont-hash-secrets/"]Don't hash secrets[/URL]
([URL="http://en.wikipedia.org/wiki/SHA-1#Cryptanalysis_and_validation"]wikipedia has a far more dry version of that same statement[/URL])
I'm not sure how true that is admittedly, but it seems to me that if the server knows what SHA1('mysecretpassword') is and it sends 'mysecretnonce' to the client, if the client sends back SHA1(SHA1('mysecretpassword' || 'mysecretnonce')) the server can work out SHA1(blackmagic(SHA1('mysecretpassword), 'mysecretnonce')) and see if they match.[/QUOTE]
I see, but that leaves the server without salts. It would be better if 'mysecretpassword' was SHA1(SHA1('mysecretpasswort' || 'sharedsalt')) (if hashing twice is necessary here).
[editline]18th March 2013[/editline]
[QUOTE=Lexic;39961439]Removing the CA system from the trust chain is not going to be particularly helpful at stopping MITM attacks, just sayin.[/QUOTE]
Ultimately it's (to a large extent) about user competence. If the users register from a sufficiently secure network and know how to handle TLS certs (at least the basics) then it's not a problem at all.
Sadly, this won't ever be the case.
[editline]hmm...[/editline]
Unless there's a known trusted server that can verify a certificate match by contacting the other server from a known secure network.
The system would have to handle all first connections between computers and websites though. I wonder if that's feasible.
(Not to mention the privacy concerns, but I guess that wouldn't really be different from DNS.)
[editline]editline[/editline]
If domain names were cryptographically backed, it would be possible to attach a public key that way.
I seems someone at least [URL="https://bitcointalk.org/index.php?topic=24591.0"]though[/URL] about using Namecoins that way, and there's [URL="http://dot-bit.org/Namespace:Domain_names_v2.0#TLS_support"]a draft for this[/URL].
There's also a [URL="https://wiki.mozilla.org/Security/DNSSEC-TLS-details"]DNSSEC-TLS[/URL] which shifts authority to the DNS, which is pretty much what I wrote in my last edit but with less volatile certs.
It should be considerably cheaper but doesn't seem to be widely implemented.
You mean like a CA? :v:
[QUOTE=Lexic;39962192]You mean like a CA? :v:[/QUOTE]
Well, not exactly. If the trusted server does live verification the website owner doesn't have to register or sign his certificate anywhere. It's more like [URL="http://www.downforeveryoneorjustme.com/"]downforeveryoneorjustme.com[/URL].
Edit: The CAs don't have any structural servers (except for their own certificate), the verification is completely offline. They just expect a lot of money for an identity check.
Sorry, you need to Log In to post a reply to this thread.
