| « Prev | Page 1 | Next » |
|
I don't want to belittle the core WTF-ery of : "what would these even be good for?" Are there not a bunch of functions for binary data? LenB,MidB and so on.
|
|
Wow, now this sucks. This is like paying money for a support contract that gives no support, but lets you change the code. Open Source as in, they paid more money to have a licence to look at and modify the source code. |
Well, sure. But who knows if those actually WORK? I mean, does Microsoft let you see the source code? Better to just write your own. Yes, I'm kidding. |
|
Not that this should be done, but I don't see the WTF'ery in the code as is aside from it being touted as 'open source'. This could be VBScript, which does not type variables. That could be the reason for the cint(idx) calls. The function declarations do not indicate the type of the bin variables, but the functions appear to expect strings. So the author is aparently trying to implement logic functions against strings of 1 and 0s. So, the real WTF is not the code but the fact they are reproducing binary logic somewhere that they shouldn't. |
It certainly is VBScript: see http://www.thedailywtf.com/forums/41518/ShowPost.aspx However IMHO this is no excuse. Given that ASP (which I'm guessing this is) support Javascript server-side blocks, these should have been implemented with numeric types and the logical operators written as < script runat="server" language="JScript > function NotBin(a) { return ~a; } function AndBin(a, b) { return a & b; } function OrBin(a, b) { return a | b; } function AndNotBin(a, b) { return a & ~b; } < / script > |
Or, in VBS ... Function OrBin(a, b) .... and so on .... |
|
Forgive my ignorance, my VBScript experience is limited to classic ASP
and scheduled .vbs files. What implementations of VBScript will PREVENT you from being able to view the source code? |
|
I would want to see the larger context where this logic is used. As others have noticed these function process strings of 1 & 0s as binary numbers. I can't think of any real life situation especially in a web asp application where it would be useful or necessary. Then again typical web application I've done were either financial or e-commerce, usually users want to see their balance in decimal, maybe some open source fanatic, out of the box thinker implemented "please enter account number in binary" feature, because it wasn't supported by M$. |
Can that possibly work? What about Dim Four, Two Four = 4 Two = 2 Mystery = AndBin(Four, Two) ' what is Mystery? If Four And Two Then ' does this get called? End If |
|
It's been many years since I've had to deal with vbscript (thankfully), but from what I recall it had all the functions that worked properly for bitwise operations. And yes, they would work on integers, as they would in most widely used languages these days. Typically they're used for storing many state flags in a single variable. Not typically useful in situations where you are not concerned about memory constraints / allocation, but i've seen that type of thing before when someone read up on bitwise operators and thought it would be cool.
|
|
Looks like a straight-forward sample implementation from a crypto lib.
Not exactly efficient, but easy to read, easy to debug, easy to demonstrate. Arbitrary length of numbers make it easily possible to calculate e.g. 256,512 or even 1024 bit keys, though this might take some time... |
|
At one point Microsoft came out with an option for encrypted script files.
|
Agreed. I've also maintained a lot of unnecessary bitwise logic in homegrown VB6 (that, let me stress this... DIDN'T make external calls out to Win32 dlls). And worse... storing the compact flags in a binary column in DB2 and SQL Server (let ME tell you how awesome it is to index that and be able to select off one of the flags in a WHERE clause. T'was a useless waste of time. |
Ahhhh, the magic of VBS. An "If" condition fires as long as the result is non-zero, non-empty, non-null, or non-emptystring. The And/Or operators work both on expressions and bits. If the operands are numeric subtypes, it is bitwise. Boolean subtypes and it performs expression logic. So, in your example, it would work out to "If 6 Then" ... and since 6 is non-zero .... it fires. Also note that in VBS (or VB), the And/Or operators do not shortcircuit. Meaning, "If Not IsNull(myObj) And myObj.someProp=1 Then" will throw a "null pointer" exception ... |
|
Everyone is saying this is VBScript. It looks to me like this snippet
would compile just as well in VB6 and VB.NET. Both 'real' versions of Visual Basic allow you to do stupid things like have everything implicitly declared as a Variant, as if you're using a dynamically typed scripting language. Ugh. Dynamic typing in VBScript and JavaScript is great, but IMHO it does not belong in the .NET platform, nor in VB6. |
|
If you want bitwise operations on arbitrary-length data in VB variants, surely you're better off using 1 character per byte and applying VB(script)'s built-in boolean operators, which do work bitwise. (Incidentally, this is probably why, in Visual Basic and variants, True is -1 i.e. 0xffffffff. Unusual, but true.) Of course, I could be wrong, but...
|
|
Sorry to waste this precious space by posting again, but I think the point is being missed. The input is in the form of strings (1s and 0s) and the output is a string representing 1s and 0s. It's hard to tell why because of the lack of context. Using logic operators is possible but the 1s and 0s would have to be converted to decimal first. I think the opening WTF paragraphs assumed too much stating the input was converted from decimal to hex then to strings, but without the context its hard to tell.
|
|
Please note that Shiftbin is even misnamed. It implements Rotatebin.
|
The opening paragraph doesn't assume, it contains what the submitter told Alex. Also, we do have context: two other posts (or three?) containing code from the same system which greatly supports the notion of the conversions. |
|
The reason they're doing this in strings of binary numbers and not
native integer types is because they need to do math on sizes greater than 32bit (note that it's from an encryption library). This is about the most incredibly inefficient way I can think of to do it, though. They would've been far better off calling a library written in a language that can actually do it natively, or even inventing their own arbitary-length integer type for VB. |
You missed my subtle sleight-of-hand in switching Or to And. Four And Two would be 0, not 6. |
It is easy to tell if you go have followed this quartet of incompetance from the beginning. Go back and read the three links given and all will be as clear as mud, sadly. |
|
Oh, big whoop. I implemented encryption routines in PL/SQL once
that were much more WTF-ish. I didn't even have an option of going out to an external library. |
|
|
Yay stupid forum software. Okay, take that quote, and this is my reply: It would work out to "If 0 Then" -- you're using And, not Or. (4 And 2) is 0... (4 Or 2) is 6. |
|
One advantage of these functions over VB/VBScript's built in operators
is that they work with any number that can fit in a string in binary format. Some encryption algo's require working with numbers which won't fit in VB's Long. |
Which is why the first line of any decent code in VB6/VB.NET is
|
|
Another problem with all these wonderous functions is what happens if bin2 is longer than bin1? In fact, there is the assumption that both strings are the same length, so: XORBin ("011", "10") = 111 as it works from the left! |
Which is, by most people's definition not "Open Source". |
Little-endian bastards. |
1 Open Source as in, they paid more money to have a licence to look at and modify the source code. OMG!!! I haven't even seen the code yet, I started reading from above and looked at the note when i saw the note mark and I couldn't stop laughing!! (lucky me that I'm alone at work right now :P) I stil can't believe they even paid money for this! I'm not a vb expert at all, so I can not say how bad this is but it looks like total crap :) Using custom functions while there are standard functions to use and why on earth a custom encryption system? I made my own custom encryption lately for my application purely for 1 reason, the way php and java encrypt decrypt is different and they use a different padding and I have not been able to get this working right.. my encryption is crap but it works and it is ok for during development but I wil replace it later with a correct encryption decryption.. |
When it comes to encryption, the big question is: Do you trust the available closed-source implementations? In a closed source implementation, someone (CIA, NSA, KGB, you name them) might slip a back door into the code. Probably the weakest spot is the random generator; if the keys are not as random as they should be, you might not notice it but an attack might be easier (=cheaper, faster) by factor 1000000 - just make 20 bits of a 128 bit key predictable (dependent on the rest of the key). |
That's not what open source means :) They bought a source license. |
Goodness, you're right! I must avoid buying any software made in the Soviet Union. Hmm... |
Well, if Boeing wants to sell airplanes to e.g. China, and Tupolew is their strongest competitor, it might be a wise decision for Boeing not to use Russian closed-source crypto products to communicate prices between headquarter and sales force. Likewise, if Airbus wanted to sell airplanes to China, and Boeing was their strongest competitor... |
|
Prepare for a deluge. That definition of open source will almost certainly create a lot of flames, since it is absolutely not in any way compliant with the official definition.
It might be shared-source, but isn't remotely Open. In fact, it is clearly defined as NOT open at http://www.opensource.org/docs/definition.php But otherwise it's amusing. It's clearly the work of some kind of sick mind. |
|
http://www.opensource.org/docs/definition.php
The definition given is not even close. Don't be fooled. |
And it's the first line of any decent code even in VBScript. |
Free, consider correcting the spelling of 'speech' in your tagline. |
This comes off a little paranoid but it's true. You don't know what deals Bill Gates is making with the US government in order to secure more sales of Windows. Moreover, just because you can't see the source for the software you use doesn't mean it isn't really screwed up. There have been many times that having the source to the JDK and other Java libraries has been a project saver. I work with a product now that throws useless errors and we can't figure out what's wrong because we have no source. We have to talk to the support staff who just tell us: "Everything is fine. You have no problem." Like they are Jedi. |
|
I pray they are a local consutling company because it would be a crime to spread this code across the country.
|
I've only used c#.net. I would have hoped that finally in VB.Net, that they would have changed it to Option Implicit and made requiring strongly typed declarations the default. |
|
It's not really such a concern that (insert your favorite big brother figure here) would "slip a back door into the code." There are far better hacks than this and aren't at all detectable. Seriously. If the code is written this poorly, do you think it would take any effort whatsoever for (insert your favorite big brother figure here) to get in? Do you think they'd even care? Why bother when they find it so much easier to bug your computer with a keygrabber (whether hardware or software)? Regardless, most of the posters here (myself included) do not have the background in mathematics to even come close to being able to evaluating the security of an algorithm. Even still, there's little security in using properly coded RSA/AES/Twofish/SHA (yes, I'm well aware I'm lumping in PKI/stream/hash algorithms, etc.) modules if the implementation has flaws. Again, something that most programmers won't know how to evaluate. I've seen a lot of bad ciphers (homegrown crap) and a lot of good ciphers used in dumb ways. Both are insecure but the latter is much harder to catch ;) I tried to explain something simple (how a cryptographic salt works and why you use them) to a reasonably good programmer once and all I got was the deer-caught-in-the-headlights look. I ended up developing that module myself since it was important to me that it be done right. C'est la vie! |
You are completely right and that makes the situation even more complicated: A "backdoor" as I mean it is not necessarily some recognizeable evil code, it could just be a deliberately bad implementation of a good algorithm. Nearly impossible to find, even if you have access to the source code. |
Oh, man, that's too excellent. 1) That's going in my quote file. 2) I have to get the other developers to say that to customer support so that we deal with fewer problems. "Like they are Jedi." I just lost it when I read that. |
|
VB.Net has Option Explicit set to On by default. But that doesn't
strongly type everything; it just forces you to declare your variables (otherwise everything undeclared is an Object - not Variants in VB.Net). You need to turn on Option Strict (you can make that the default in VS.Net if you want) for that, but you lose nice features such as late-binding and the like. |
|
It appears that VB, at least VB6, does not have any bitwise shift operators. Assuming that the author is using bit arrays of length less than that of the long data type, the functions below should do the trick (note that they are quickly thrown together and minimally tested, but you get the idea). If he/she is using larger bit arrays, the question of whether the application is properly designed should immediately come to mind.
OrBin = bin1 Or bin2 End Function
AndBin = bin1 And bin2 End Function
|
I know everyone has moved on from this WTF by now, but I just had to comment on this. Option Explicit does not prevent implicit declaration as Variant, it just requires some type of variable declaration. If no type is added for a variable declaration, that variable still defaults to a type of Variant: Option Explicit |
| « Prev | Page 1 | Next » |
Free: