- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
I… *walks away, unwilling to acknowledge that level of ignorance*
Admin
So, who is working at the contractor: Joey or Ross?
Filed under: FP-highlighted that for you.
Admin
I think the solution is to introduce Joey and Monica to Haskell, which is so awesome for recursing tree stuff like this. Also, they'll be so busy proving their solutions are correct to commit any more bad code.
:passport_control:
Admin
Did I miss the introduction of a new author?
Admin
Another thing about that three:
childandsib? Odd choice of variable names; convention is eitherleft/rightorred/black, surely?NoYes; she's been an author for a while now ;)Admin
Admin
Security by "Fuck, I was going to hack this but it takes too damn long. I'm going to get a coffee"
Admin
:wtf:
Admin
Admin
Well, the only introduction I can find is this:
Admin
Her first article was in early February:
http://thedailywtf.com/authors/jane-bailey
There have been several new authors as a result of:
http://what.thedailywtf.com/t/the-daily-wtf-wants-writers-again/4028?u=boomzilla
Admin
Hi!
I've been around the forums this whole time really. Used to lurk on the old forums, I think I had like 3 posts. So in that sense, I didn't do an introduction post to the forums because ya'll knew me more or less before I applied for the writing position.
Admin
There's actually a minimal element of truth somewhere hidden in it. For some types of functions, code that takes the time needed for the worst case, and makes all other cases take equally long, can be more secure than code that returns quicker for the easy cases. The usual example is a password validation service: if the time needed to determine that a password is invalid depends on how close it is to the correct password, then timing attacks can easily be used to determine the password.
Unfortunately, Joey probably read something like this, and didn't actually understand any of it, simply remembering it as slow = good, even in cases where it makes no sense whatsoever.
Admin
Am I the only one who, after reading the title, thought of Happy Tree Friends?
Also, Joey seems to have not read the article about slow code carefully - slower code can be indeed more secure, but only in very specific cases, and against very specific attacks: when generating encryption keys, when the algorithm is heavily optimized for speed, the time spent on generating the key can give away what the key is.
Dammit, Hanzo'd.
Admin
My first thought on that subject was about password hashing. Where you want to make it painful for someone trying to brute force passwords.
Admin
Where are Chandler, Phoebe, and Rachel?
Admin
Is it just me or wouldn't each node be visited many more times than twice?
(I hope I didn't introduce any more WTFs by porting this code to Perl)
outputs
't' is the "twice" per node and 'c' is the count of both recursive functions going twice.
Also, it's not a very balanced tree! But I CBF'd actually figuring out where I want my example nodes to appear.
Edit: commenting out the "updateReadOnly" calls in the insert and doing it once after all the inserts shows that the last leaf is touched 12 times. The count is the i+3. and t is once for each node, as expected.
Admin
I realized that 😝 The thing I was missing was the link from Jane bailey to @Yamikuronue
Admin
This, from years ago, seems appropriate: Ideas rattle in his head like mustard seeds in a bass drum.
Admin
That's probably because you haven't been to the Screenshot thread.
oh wait...
You know what's more secure than that? Code that never works! How can you hack something that doesn't actually exist?
Or the Discourse security strategy: Make everything so confusing that anyone who tries to hack it goes insane. Bonus points because after a bout of insanity, you're more likely to join TCotCDCK
Admin
Admin
Er, er, so TRWTF is the variable name "fng"? Short for "fing"? "finger"? Aha, I know!
That's right, guys, this is not a "tree", it's a "fungus".
Admin
No, that's actually a not-so-uncommon way of implementing an N-ary tree without using an arbitrary-length list of child nodes. It means that finding the kth child of a node is now O(k) instead of O(1), which is bad for random access, but if you only ever need to sequentially iterate through the tree, it doesn't hurt.
would be equivalent to
Admin
Yep, it's actually an O(N^2) algorithm, not twice O(N).updateReadOnly()visits every node and callssetReadOnly()on it, andsetReadOnly()is O(N), therefore O(N^2).More precisely, it's ∑(size of the subtree over all nodes); I haven't done a formal analysis, but I'm pretty sure that that comes out to O(N^2) no matter how the tree is balanced.Nope, I'm wrong. It's O(N^2) in the worst case, but still O(N log N) in the best case. In a balanced tree, it's N + 2*(N/2) + 4*(N/4) + 8*(N/8) + ... = O(N log N).
Admin
bcrypt would like a word with you.
Admin
bcryptis used for tree-walking?Admin
I haven't read the article yet. I was just disagreeing with the general proposition that slower code isn't more secure.
Admin
And @RaceProUK was disagreeing with the general proposition that slower code is always more secure :)
Admin
slower code does not imply secure code. secure code can be slow, and slow code can be secure. btu slow code could also be stupod
Admin
:smile:
Admin
bcrypt, widely considered to be secure, is deliberately slow. Quit overthinking my joke. :stuck_out_tongue:
Admin
Admin
yes. but that's slow designed by smart people. not slow designed by stupid people.
it's my brain and i'll overthink if i want to!
Admin
Yes, but it proves the idea that "slower can be more secure" isn't 100% stupid.
Admin
I guess that's correct?
If it takes longer to do things, the software responds slower.
Then it responds slower to brute force.
And it takes longer to complete the attack.
Admin
*waits for @xaade to realise the article is about tree-walking*
Admin
Behind-the-curtain peek: That's exactly what I was thinking Joey read :)
Admin
Admin
+ :moving_goal_post: :deciduous_tree:
Admin
"As an added bonus, ____"
AKA
"It's a feature"
Admin
TRWTF is that this wasn't called, "The One With the Data Tree."
Admin
But there are some astoundingly stupid ways you can implement them. For example, you don't want to run bcrypt on every request, just once a session. Otherwise you'll be like a racing driver towing round an anchor from an ocean liner.
BTDT…
Admin
Message for this member of Burnham Wood. Dunsinane is the other way, dude!
Admin
Not one person (up to now) has commented on the fact that inserting into the tree ignores the WTF-laden purpose of the readOnly flag, thus making "insert" a WTF in its own right.
And giving it an interesting side effect: it inserts the item AND makes the tree read-only. (If the tree wasn't read-only before, too bad, it is now.)
Admin
Sweet. So I was right when I :hanzo:'d @FrostCat
Admin
I'd assumed it was code pruning, though indeed a write-only readonly flag is an even bigger :wtf:
Admin
No.
https://www.youtube.com/watch?v=RO7Q1tMGE7g
Edit:
:wtf: Political commentary, YouTube style:
[image]Admin
Admin
Try again. Each node of the tree has a read-only flag. The :wtf: is strong in that fact(1).
insert()clears the read-only flag of all nodes of the tree, modifies the tree by inserting the passed-in subtree (there are no checks to see if it has NULL child and sibling pointers, therefore it is a subtree, possibly of only one node), and then sets the read-only flag of all nodes of the tree.All that implies that
insert()is more :wtf: than the rest, because it contains all the :wtf: of the rest as well as ignoring the read-only flag and having an incorrect name. A name likeinsert()tends to suggest that we are inserting a single node in the tree, but it inserts a whole tree in the tree ("yo, dawg!"), and therefore should be calledgraft().(2)(1) Seriously, it is. It is possible to have a tree which is read-only in some areas, and read-write in others.
(2) But even this name is :wtf: because nothing stops me calling
x.insert(x);or eventhis.child.child.child.insert(this);(from inside a member function, duh), so the name should bemangle().Admin
graft() is sufficient; nothing stops one from grafting a tree to itself: [image][image]