- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Admin
Unique comment: first
Admin
It shows time and again that the human mind is not capable of understanding random. Just remember the dwtf where someone appended a random number to a guid to make sure it was REALLY unlikely to get a duplicate.
Admin
Those 'experts' may want to read up on the Birthday Paradox.
Admin
It's not just random most don't understand..
I had the following discussion yesterday with two colleagues. There was a box for recycling batteries and it said on the box:
"Put here your used batteries: (...)alkaline batteries, cellphone batteries, other wireless equipments batteries."
I asked my colleagues "What about batteries existing in wired equipments?" Their response "Batteries don't make sense on wired equipments". Me: "What about an UPS?"
This is the difference between a programmer: requirements list in -> code out, and an engineer/architect/developer: requirements in -> solution out
In today's story, the "Experts" were programmers, and not good ones at it...
Admin
FFS. WTF. And many other shortisms containing the letter F.
The jolly[*] Experts have forgotten the most important thing about this task. The real linking information should be the device IDs. Each device needs a way of finding the device ID of its partner-to-be, in this case via the server. It is harder than pairing Bluetooth devices because it is mediated by the server, but it isn't hard. Users presumably don't want to have to enter whole device IDs, so supporting some sort of "friendly mode" number would be a requirement, but like all user-oriented friendly-mode data, it should not be the main key in any table.
Device 1 sends its device ID to the server, and asks for a number. The server generates a number and stashes it alongside the device ID in the database, along with an expiry date/time. The number then goes down to the device. The device displays the number, and the user enters it on device 2. Device 2 sends this number and its device ID to the server. The server finds the number in the "waiting" table and transfers the pairing (combination of device IDs) to the "complete" table.
You have some constraints:
I can be reasonably sure that this procedure will work better than what the Experts came up with. The uniqueness constraint only has to work for data with a TTL of five minutes or so.
And their database-server relationship is a serious WTF as well, if one failed insert can stuff up all database activity.
[*] "jolly" as used here does not mean "happy"...
Admin
Admin
There is a lot of music equipement that is (or can be) battery powered and it is not wireless.
Admin
I'm not saying it could be processed. I was just responding to the "batteries don't make sense in wired equipments", as well pointing the flaw in the box listing: I could put all kind of batteries (rechargeable or not). Why not an UPS battery? My wireless equipment can't have also a lead acid battery?
Admin
An example of a device which has a lead acid battery, but no wires: a car.
Admin
To clarify: I know a car has wires; but it doesn't plug into mains power.
Admin
This discussion about the Battery Box perfectly shows what the problem with most "technical" people is: they are too literal sometimes. While it certainly is part of being a "technical" person, there are situations where being 100 percent techically correct is, well, unnecessary. This usually ends up in very abstract, generic descriptions of stuff, nobody really understands anymore. Kind of like the legalese lawyers tend to produce.
Admin
Admin
To achieve true randomness, you need to cage an ill educated teenager, give them a phone, and hook it up to some kind of voice detection device. Then, every time you need a number, simply return the number of times they said/txted the word 'random' in an inappropriate context in the last second.
It should give you a reasonably even distribution across the range of unsigned 32 bit integers, with no cyclical repetition.
Admin
Why use random at all? Just use sequential numbering in the temporary connection table, then remove all lines once connection has been established or the connection has timed out. That way there is no risk of collision at all and likely the user will never see a number higher than 10 (depending on how much the system is used of course).
Admin
This story reminds me of a company I worked for a long time ago... in order to get access to a online community, you had to call a 0900 number, listen to some gibberish for 5 minutes and then write down a PIN, which would give you 24 hours of access. The PIN had 4 digits. I told the project lead that I thought that 4 digits in my opinion was definitely not enough (I'll leave the reasons for the reader as an exercise), but was rebuffed. So I wrote a small script that automatically tried PINs on the community's login page, ran it a few times, got valid PINs in less than two hours with just a handful of users being present in the system, and sent him the script together with the results. Reluctantly he then changed the number of digits to 6.
Lesson learned: when it comes to access code security some people have a very low risk awareness. If those people are project leads, it's up to the developer to make them see the light. Which is ok, it's your company, it's your job etc etc. But if you outsource such critical functionality to some self-acclaimed (offshore) "Experts", you will not get that feedback, because the contractor has no vested interest in getting your system airtight. He will develop to specs, and if your specs are lousy, a lousy soilution is what you'll get.
Which is why I would never outsource: the amount of time it takes to think things through and develop watertight specs can easily be in the same region as developing the solution incrementally inhouse.
Admin
Gosh. If only the pesky framework vendors could provide some way to generate a Globally Unique ID...
Do you know what would be good, too? Once they had found some way to devise a Globally Unique ID [ I'm gonna shorten that to "guid" (tm) ] they could maybe try encapsulating it into a type so that the experts, and us amateurs, could use it easily?
And maybe, just maybe, in Oracle 13 or SQL Server 2016, we could get native support for this "guid" invention in the database?
Ahhh... we can but dream...
Admin
It seems to be one of the hardest concepts to get across to non-technical people -- and even technical people, far too often: in computer networks of any kind, you never know who you're talking to.
People will impulsively say "oh we'll just look at the device ID" as if "problem magically solved". How will you see the device ID? "The device will send it." OK that's called trusting the user. Users can lie. Devices can lie. Software can lie.
"But what are the chances of someone else guessing my device ID?"
So you admit it could happen. You're just hoping it doesn't happen very often. Still, how do you want the system to behave in those rare cases when it does happen? You don't care? Random behavior? System crash? Money stolen? Which outcome do you want?
"I don't want to think about it."
OK, now we're getting closer to the truth. So back off a step and admit you didn't think about your "solution" either.
Leave designing to designers and go back to painting your toenails or whatever it is you supposedly do to add value around here.
Admin
Admin
Admin
Solutions that can be found on the internet tend to center around a machine's MAC-address.
MAC-addresses in a way already are guids and will all be used up in the not-too-far-away future (an extended MAC-address format is already in the planning stages, I think).
And why would you need that? Just use a string to store your guids.Admin
Use of alphabetic or alphanumeric sequences is advantageous because the number of possible codes of a particular length is much higher than for pure decimal-numeric. Restricting the maximum length is a critical factor for the human user, while maximising the number of combinations is a critical factor for the database. 266 is larger than 108 (308915776 vs 100000000), and if you borrow one slot for a check digit, that's still 11881376 versus 10000000. If you assume that six digits / letters is the maximum usable, then I'd definitely go for alphabetic at least, maybe even alphanumeric.
The key thing to remember is that the pairing codes are for people first and computers second. Make them align with people's expectations, not the convenience of programmers. You can also help distinguish them by including a fragment of the device ID or serial number in the code. If you extend the device ID to 8 characters, you get 6 hex characters from the bottom 24 bits of the device's MAC address and 2 full alphanumeric from the "random" process. Using full alphanumeric, you can code the bottom 24 bits of the MAC in five characters, and then add two characters of random and one check digit for the eight. Sounds like a win to me.
(EDIT: note the assumption that the device ID is a MAC address...)
Admin
Admin
Admin
I could then enter 1 on my device at any time and I could likely pair with someone else's device. That would probably be a security issue.
Admin
These aren't described as e.g. secure elements for bank transactions and if they were, well, there are extensive protocols for identification and authentication of communications with such devices. All such protocols are at least resistant to simple brute force guessing, and other elements can be layered over the simple protocol in order to increase their resistance.
Of course, the RWTF here is that they have devices that can be / are paired via a server. Bluetooth pairing by passage of PIN codes is reasonable because it is done locally, usually in the presence of trustable devices. (And, of course, if you manage to sneak in and pair with my headset when I tell it to pair, I'll notice that because my headset won't work with my phone, but will allow me to use yours to make calls if you have voice dialling...)
You have to answer some occasionally-difficult questions, like "can I lose enough in an attack, including cost-to-fix, to justify the expense of this defence?". For the Bluetooth phone and headset, the cost of the defence had better be really close to zero, because if I wind up with my headset paired with the attacker's phone, he loses when I accidentally call some 0900 premium number, not me. That's not true if he manages to sneak in exactly the same brand+model of headset as the one I went to buy, and tricks me into pairing with his, but my defence is to not activate voice dialling (which I don't want active anyway - I've never had much success with it, so I don't see why I should burn battery life on it). And fixing the mis-pair is a simple case of repeating the pairing process until I manage to get my devices correctly paired. For a banking secure element, the cost of defending can (should) be higher because my losses are greater and the attacker's gains are higher.
Admin
The primary key would keep counting up even after the rows are cleared, that's why he said "probably not see a number over 10 digits".
Admin
Nevertheless, if I mis-type the last digit, I will likely pair with a device on the system, but not the one I intended.
Admin
Solution:
Get the user to type a full GUID and stop being "user friendly" if it compromises robustness. A GUID is what it takes to ensure uniqueness, otherwise we'd have something other than a GUID.
Device A displays GUID.
Device B inputs GUID. Sends to server.
Hit finish on Device A.
Device A sends to server.
If they match, pairing is complete.
That way device A can't send whatever it wants to server that device B wouldn't have a way of knowing what that was.
Admin
You. You are what's wrong with modern application design, especially design by small teams of technical people. "No, we don't need the app to be usable -- it just has to be secure/standards compliant/inflate my ego".
If your app required typing a 32-character length string on a smartphone correctly in less than 5 minutes, I'd probably start looking to your competitor's products, or worse, if I really needed the app and there were no alternatives, design one of my own.
A randomly generated 6-character string with some built-in check (modulo?) is sufficiently secure (the key expires after 5 minutes anyway) and does not cause your users to loathe your application and curse it to the eighth circle of hell.
Admin
The ID was used as a socket number for communication between the two devices. Think "remote control" pairing remote with device it should control. It was deemed safe enough as it was also checked if the same subnet is present. Not really convincing me either, but hey, I'm not the expert, right?
The Device ID was used as a seed, and then some random number added to the seed. IE: A random number...
The story goes on:
After this stellar patch to which they said I have to add it to the production system before they do any more work (and so I did) I was fed up with the stupidity of this.
I told them to simply add a check, since their code already has access to the db, to see if the generated key is present. If it is, generate a new one, repeat until you find one, stop at 10 tries and return a proper error.
The solution we got: Look up if the key exists. If it does, throw an exception with the response from the db server from the lookup (something along the lines, 1 entry found), which a) shows up on the users screen and b) halts the entire application.
It's sad when a Dilbert comic seems more real to you than what you experience in your job in 2013....
Admin
The worst part is that deterministic can't be explained to most of them either.
That's why we see code like this:
if (a > 0) { println("The result is:" . a); } if (a > 0) // just in case we swapped universes since the previous if { whatever; }Admin
Sigh... the sarcasm was clearly wasted on you, wasn't it? I meant that every decent language / framework already supports guids (and they are no longer based on MAC addresses and the changes of any two being non-unique are infinitesimally small) and that databases already support guids as a type.
OK, next time I will post the boring, fact-filled version rather than attempt to be pithy.
Admin
Hmm, yeah, if that is a concern then sure, random would be useful. (captcha:) causa security.
Admin
DEVICE ID'S ARE NOT ALWAYS UNIQUE. MAYBE STEVE THE CYNIC NEEDS TO READ THIS.
https://code.google.com/p/android/issues/detail?id=10603
Admin
This is exactly why we have such poor security in so many products: Because, "It's someone else who loses so why do I care?"
How about if it's his headset "accidentally" paired with your phone and you're the one paying for his $20 per minute 900 number?
And the best part is, you paid much more for that cool, luxurious, voice dialing (because you always pay more for luxury) then you would have paid for security--and you had to turn off that luxury you paid for in order to defend yourself from his attack.
Their are a lot of anti-social people in society. That's why we have to have locks on our doors and windows; to keep those anti-social people out.
Companies that make systems and software won't do that: If they were building a house, none of the doors or windows would have locks; anyone could just walk into the house and help themselves. And the company response? "Well, just nail all those doors and windows shut, and no problem."
Admin
What is going on in the WTF comment section?
guid's? Are you people seriously expecting end users to fill all of that in to pair devices?
The reason they picked a smaller number (and it's not a good reason) is because if you make it larger, the user now has to do more work.
The WTF in this story isn't the appalling lack of statistics on display. It's this method they chose of pairing the devices in the first place.
Despite the title, the solution to this problem is not "Try More Random"
Admin
OK!!1
STOP YELLING!!!1!
Admin
You are what's wrong with any software that needs to be secure. The reason why random retail sites are exploited and easily hacked causing millions of damage to people and countless hours wasting on resolving disputes with banks and accountants and else.
Why the hell are you pairing a smartphone over a network without just using bluetooth or some other solution? Why do you need to pair to printer to print.
If pairing like this is the only solution, then the user better be prepared to input a significantly secure key.
Hacking up security with a randomized 6 digit string is not a solution. Not to mention having to increase server code complexity 10 fold to ensure you don't accidentally pair up the wrong device. (Looking at you Sprint. Sending the wrong text messages to the wrong phones)
If you don't like the solution, then look for another one, don't blame the security for being non-user-friendly.
Go ahead, look for a competitor or write one yourself, but when your bank account is hacked and you're spending months fixing your credit score, don't come crying to me.
Admin
we can dream if we are in .... 2000? because SQL Server 2005 already supports GUIDs.
Admin
The Lead-Acid cells in the rest of the world commonly goes under the name accumulator to distinguish them from just batteries. In effect everything called a rechargeable battery is an accumulator, if not rechargeable then it is a battery.
Admin
And now it make sense!
Admin
Really just no wrong, totally wrong. What you do is let the server generate the friendly keys. Device A calls a web service, which inturn evokes a stored procedure that works on the [dev_id, friendly-mode_num, ttl] relation. The procedure using transactions to avoid any races, returns a value that unique among non-expired ttls. The Web service sends the pairing number back to device A, user enters the number on device B
Admin
Congratulations on completely missing the point and showing what an utter moron you are. I wouldn't let you near any UI design, just as much as I'd would let you near any security design.
Security is determined in function of how secure something has to be. For a bank account, sure, go ahead and ask me to type a longer string. For pairing two devices? Especially two devices with limited input capabilities?
There is this joke about asking a user to type an 11-digit prime to continue. While admittedly very secure, coming up with an 11-digit prime is a rather compicated task for an end user. That also why we don't say "Please copy this 4096-bit coprime", which several magnitudes more secure than a measly random 128-bit number as you are suggesting.
Security should not be something that complicates a user's interface. On the other side, user friendliness is not a good reason for a sloppy security. Your job as a designer is to find the golden mean. And apparently, you seem to be unable to do so. Any design that requires a user to remember and write down large amounts of data, especially on an interface not designed to do so, is a crappy design.
If the application really needs to be secure, and you feel the only way is to transfer a key of significant length, why not use a QR code?
As a software developer, I'd expect you are able to:
a) see the problem (we need to transfer a large enough key) b) come up with a solution (let the user type a key) c) see potential problems with your solution (typing in a long key on a smartphone is very annoying) d) consider alternative solutions (shorter key? other way of transferring key?) and their respective problems.
Since you can't seem to be able to do either c) or d) and you still want to call yourself a developer, I'd say that you're either 1) incompetent 2) unable to see your own mistakes or 3) drunk.
Admin
Of course the most random, secure method would be to have each user write the first 50 digits that they can think of in Sharpie on a busted BMW E46 window regulator (those are not in short supply) and mail it to "Secure Connections, Box 3500 Harvard Square, Cambridge, MA 02238" and wait 6-8 weeks for the other device to be paired.
Admin
Admin
Reminds me of rvar = rand() + rand() / 2; which was justified as twice as random as calling the function once.
Admin
you're missing these: ()
Admin
"That person doesn't want to socialize with me? I need to be damn sure he can't get into my house!"
Admin
You're confusing anti-social with non-social.