1700: "New Bug"

This forum is for the individual discussion thread that goes with each new comic.

Moderators: Moderators General, Prelates, Magistrates

ps.02
Posts: 378
Joined: Fri Apr 05, 2013 8:02 pm UTC

1700: "New Bug"

Postby ps.02 » Wed Jun 29, 2016 4:50 am UTC

Image
Alt-text: There's also a unicode-handling bug in the URL request library, and we're storing the passwords unsalted ... so if we salt them with emoji, we can close three issues at once!

A pretty horrifying bug! Racking my brain a bit to come up with a plausible chain of requirements or circumstances in which this bug could ever arise. So far all I've got is someone using a JS framework with extreme incompetence, but even then.... Nice solution in the alt text, too.

I was a bit WTF when I noticed a POP client in 1993 that wouldn't authenticate if your password had a space in it. But at least nothing crashed as a result.

SomeoneSomewhere
Posts: 34
Joined: Tue Jul 02, 2013 4:51 am UTC

Re: 1700: "New Bug"

Postby SomeoneSomewhere » Wed Jun 29, 2016 5:22 am UTC

Skype, and probably some other similar sites, crawls every URL you send. Even if not publicly. Part of the puzzle is probably this, but applied to everything POSTed to the server including the password.

As for why it crashes if the link resolves, maybe the site attempts to tie that page to a record of where the link was found, and the password field is excluded from having such an ID generated?

TV4Fun
Posts: 93
Joined: Mon Oct 01, 2007 5:45 am UTC
Location: Certifiable C++ Programmer

Re: 1700: "New Bug"

Postby TV4Fun » Wed Jun 29, 2016 5:34 am UTC

Is the password ever passed as an argument to a GET query? I can imagine a case where that would cause the problem.
$_[0] wrote:rule 2:
Once a relationship ends, physical access to all relevant machinery is denied.

SomeoneSomewhere
Posts: 34
Joined: Tue Jul 02, 2013 4:51 am UTC

Re: 1700: "New Bug"

Postby SomeoneSomewhere » Wed Jun 29, 2016 6:16 am UTC

TV4Fun wrote:Is the password ever passed as an argument to a GET query? I can imagine a case where that would cause the problem.

Bad practice, but it likely happens.

User avatar
glasnt
Posts: 539
Joined: Fri Jan 25, 2008 5:18 am UTC
Location: SQUEE!

Re: 1700: "New Bug"

Postby glasnt » Wed Jun 29, 2016 6:46 am UTC

It's plausible if the passwords are checked against actual word dictionaries... Stored online... And or mongo

But that Alt text. Bloody hell. Obligatory cry of "Randall get out of my head"

User avatar
Pfhorrest
Posts: 4572
Joined: Fri Oct 30, 2009 6:11 am UTC
Contact:

Re: 1700: "New Bug"

Postby Pfhorrest » Wed Jun 29, 2016 6:56 am UTC

re: alt text, would that really solve three issues? wouldn't it be exploiting one issue to solve another issue as a byproduct of just normally solving the third? i.e. you solve the unsalted passwords by salting them, duh. if you salt them with emoji, then because of the unicode-handling bug for resolving URLs, the passwords will no longer resolve as URLs, solving the main problem. (or well, circumventing it at least; something is still obviously being done horribly, horribly wrong somewhere).
Forrest Cameranesi, Geek of All Trades
"I am Sam. Sam I am. I do not like trolls, flames, or spam."
The Codex Quaerendae (my philosophy) - The Chronicles of Quelouva (my fiction)

leafar
Posts: 14
Joined: Wed Dec 03, 2014 3:57 pm UTC

Re: 1700: "New Bug"

Postby leafar » Wed Jun 29, 2016 7:00 am UTC

xkcd: Posts a comic using an absurd scenario for humorous purposes.
xkcd readers: Spend hours discussing ways in which absurd scenario could actually happen.

JimsMaher
Posts: 145
Joined: Wed Mar 14, 2012 5:14 pm UTC

Re: 1700: "New Bug"

Postby JimsMaher » Wed Jun 29, 2016 7:12 am UTC

I'd like to salt my emojis with bugs. That is to say, how can I glitch up my texts and forum posts?

I know that years ago there were occasional issues on here with posts overlapping others or themselves. I wish I had them bookmarked. Is that still a bug in some browsers? I think it was in Firefox circa 2012.

ps.02
Posts: 378
Joined: Fri Apr 05, 2013 8:02 pm UTC

Re: 1700: "New Bug"

Postby ps.02 » Wed Jun 29, 2016 7:20 am UTC

Pfhorrest wrote:re: alt text, would that really solve three issues?

No, he miscounted. It solves 2 issues. Unless you count as a third issue the desire for the senior dev to destroy the project with fire. The salty emojies ought to change his plan more toward putting up razor wire around the whole shop and having it declared a Superfund site.

User avatar
Xenomortis
Not actually a special flower.
Posts: 1420
Joined: Thu Oct 11, 2012 8:47 am UTC

Re: 1700: "New Bug"

Postby Xenomortis » Wed Jun 29, 2016 8:32 am UTC

Salting with emoji would solve two issues (salted passwords are no longer resolvable URLs, passwords are now salted) , but also require the unicode bug to be fixed (for three issues).
Image

User avatar
Wee Red Bird
Posts: 177
Joined: Wed Apr 24, 2013 11:50 am UTC
Location: In a tree

Re: 1700: "New Bug"

Postby Wee Red Bird » Wed Jun 29, 2016 8:54 am UTC

Several people will be panicking right now while they test their password entry fields for urls and SQL injection

User avatar
orthogon
Posts: 2876
Joined: Thu May 17, 2012 7:52 am UTC
Location: The Airy 1830 ellipsoid

Re: 1700: "New Bug"

Postby orthogon » Wed Jun 29, 2016 8:55 am UTC

Xenomortis wrote:Salting with emoji would solve two issues (salted passwords are no longer resolvable URLs, passwords are now salted) , but also require the unicode bug to be fixed (for three issues).

I also heard that emoji have lower sodium content, so you can add high blood pressure to the list of problems addressed.
xtifr wrote:... and orthogon merely sounds undecided.

User avatar
Wee Red Bird
Posts: 177
Joined: Wed Apr 24, 2013 11:50 am UTC
Location: In a tree

Re: 1700: "New Bug"

Postby Wee Red Bird » Wed Jun 29, 2016 9:06 am UTC

orthogon wrote:
Xenomortis wrote:Salting with emoji would solve two issues (salted passwords are no longer resolvable URLs, passwords are now salted) , but also require the unicode bug to be fixed (for three issues).

I also heard that emoji have lower sodium content, so you can add high blood pressure to the list of problems addressed.


But which Emoji will it be salted with? The hacker's first guess will be the poop one.

xtifr
Posts: 322
Joined: Wed Oct 01, 2008 6:38 pm UTC

Re: 1700: "New Bug"

Postby xtifr » Wed Jun 29, 2016 9:22 am UTC

ps.02 wrote: Racking my brain a bit to come up with a plausible chain of requirements or circumstances in which this bug could ever arise.

Misguided code reuse. Password input uses library function used throughout the system which attempts to do something "intelligent" with urls found in general input. Handy for user posts; terrible for passwords.

Or, simpler scenario, the system tries to reject the password, but a bug in the password rejection code causes the crash.
"[T]he author has followed the usual practice of contemporary books on graph theory, namely to use words that are similar but not identical to the terms used in other books on graph theory."
-- Donald Knuth, The Art of Computer Programming, Vol I, 3rd ed.

User avatar
Eternal Density
Posts: 5544
Joined: Thu Oct 02, 2008 12:37 am UTC
Contact:

Re: 1700: "New Bug"

Postby Eternal Density » Wed Jun 29, 2016 9:30 am UTC

The phrase "salted with Emoji" needs to not exist.
Play the game of Time! castle.chirpingmustard.com Hotdog Vending Supplier But what is this?
In the Marvel vs. DC film-making war, we're all winners.

lorb
Posts: 404
Joined: Wed Nov 10, 2010 10:34 am UTC
Location: Austria

Re: 1700: "New Bug"

Postby lorb » Wed Jun 29, 2016 10:28 am UTC

Xenomortis wrote:Salting with emoji would solve two issues (salted passwords are no longer resolvable URLs, passwords are now salted) , but also require the unicode bug to be fixed (for three issues).


Contrary. It requires the unicode bug _not_ to be fixed, because if unicode is parsed correctly there is nothing stopping emojis being part of legal and thus resolvable urls. You can try it at http://www.xn--vi8hiv.ws/. I would post such an url but the forums software wouldn't let me.
Please be gracious in judging my english. (I am not a native speaker/writer.)
http://decodedarfur.org/

User avatar
Xenomortis
Not actually a special flower.
Posts: 1420
Joined: Thu Oct 11, 2012 8:47 am UTC

Re: 1700: "New Bug"

Postby Xenomortis » Wed Jun 29, 2016 10:42 am UTC

I'm pretty sure emoji forming valid URLs was mentioned in Revelation as the trigger for Ragnarok and herald of the end times.
I may have got some of that wrong, but I'm certain it means that Zeus is unhappy.
Image

User avatar
Soupspoon
You have done something you shouldn't. Or are about to.
Posts: 3274
Joined: Thu Jan 28, 2016 7:00 pm UTC
Location: 53-1

Re: 1700: "New Bug"

Postby Soupspoon » Wed Jun 29, 2016 10:52 am UTC

Wee Red Bird wrote:But which Emoji will it be salted with? The hacker's first guess will be the poop one.
Well, my first guess would start "<forum does not allow this1, drat... >", but the next character eludes me...

1
Spoiler:
Photo - 02016-50-29-11-50-50.jpg
Last edited by Soupspoon on Wed Jun 29, 2016 11:45 am UTC, edited 1 time in total.

lorb
Posts: 404
Joined: Wed Nov 10, 2010 10:34 am UTC
Location: Austria

Re: 1700: "New Bug"

Postby lorb » Wed Jun 29, 2016 11:17 am UTC

From a technical point of view there is not much difference between an emoji url and http://見.香港/
Please be gracious in judging my english. (I am not a native speaker/writer.)
http://decodedarfur.org/

User avatar
cellocgw
Posts: 1883
Joined: Sat Jun 21, 2008 7:40 pm UTC

Re: 1700: "New Bug"

Postby cellocgw » Wed Jun 29, 2016 12:14 pm UTC

ps.02 wrote:
A pretty horrifying bug! Racking my brain a bit to come up with a plausible chain of requirements or circumstances in which this bug could ever arise. So far all I've got is someone using a JS framework with extreme incompetence, but even then.... Nice solution in the alt text, too.

I was a bit WTF when I noticed a POP client in 1993 that wouldn't authenticate if your password had a space in it. But at least nothing crashed as a result.


True story: I had a friend who ran a small software shop which wrote tools for telephone companies. They ran into a problem with a phone-number lookup tool: it worked just fine unless the name of one specific business was entered, at which point the entire app crashed. I never found out how they solved it (and the 3 principles of that company who worked this problem are all deceased now). After having sat in on a couple of their discussions of this bug, I could easily believe the bug in this cartoon is a real one.
Last edited by cellocgw on Wed Jun 29, 2016 12:23 pm UTC, edited 1 time in total.
https://app.box.com/witthoftresume
Former OTTer
Vote cellocgw for President 2020. #ScienceintheWhiteHouse http://cellocgw.wordpress.com
"The Planck length is 3.81779e-33 picas." -- keithl
" Earth weighs almost exactly π milliJupiters" -- what-if #146, note 7

User avatar
cellocgw
Posts: 1883
Joined: Sat Jun 21, 2008 7:40 pm UTC

Re: 1700: "New Bug"

Postby cellocgw » Wed Jun 29, 2016 12:17 pm UTC

Pfhorrest wrote:re: alt text, would that really solve three issues? wouldn't it be exploiting one issue to solve another issue as a byproduct of just normally solving the third? i.e. you solve the unsalted passwords by salting them, duh. if you salt them with emoji, then because of the unicode-handling bug for resolving URLs, the passwords will no longer resolve as URLs, solving the main problem. (or well, circumventing it at least; something is still obviously being done horribly, horribly wrong somewhere).


Either you win the

Code: Select all

igotwhooshed
award of the week, or there's a variant of Poe's Law which applies to straight-line responses to sarcastic posts that just trapped me.
https://app.box.com/witthoftresume
Former OTTer
Vote cellocgw for President 2020. #ScienceintheWhiteHouse http://cellocgw.wordpress.com
"The Planck length is 3.81779e-33 picas." -- keithl
" Earth weighs almost exactly π milliJupiters" -- what-if #146, note 7

User avatar
Copper Bezel
Posts: 2416
Joined: Wed Oct 12, 2011 6:35 am UTC
Location: Web exclusive!

Re: 1700: "New Bug"

Postby Copper Bezel » Wed Jun 29, 2016 12:45 pm UTC

Not really, though? See, that solution really would - it's technically true - resolve the described issue in two of the three bugs. Since technically is the most important kind of true, follows the humor. It certainly wouldn't make the joke less funny if the solution "solved" all three; arguably, it would be even more satisfying, though perhaps not at the loss of elegance and thrift that might be required to do that. In any case, there's no woosh here, because Pfhorrest is actually not missing the humor.
So much depends upon a red wheel barrow (>= XXII) but it is not going to be installed.

she / her / her

User avatar
Himself
Posts: 147
Joined: Sat Aug 27, 2011 4:17 am UTC

Re: 1700: "New Bug"

Postby Himself » Wed Jun 29, 2016 1:03 pm UTC

For a moment I thought the punchline would be that the bug was an actual insect.
"Looking me am a civilization person"
-Ratio Tile

User avatar
HES
Posts: 4857
Joined: Fri May 10, 2013 7:13 pm UTC
Location: England

Re: 1700: "New Bug"

Postby HES » Wed Jun 29, 2016 1:32 pm UTC

In the alt text "solution", the unicode issue is no longer a bug - it becomes a feature!
He/Him/His Image

User avatar
cellocgw
Posts: 1883
Joined: Sat Jun 21, 2008 7:40 pm UTC

Re: 1700: "New Bug"

Postby cellocgw » Wed Jun 29, 2016 3:06 pm UTC

And what should show up in today's thedailywtf article but

And we're not even going to go into how the tool mistook email addresses for websites it had to crawl.


Coincidence? Conspiracy?
https://app.box.com/witthoftresume
Former OTTer
Vote cellocgw for President 2020. #ScienceintheWhiteHouse http://cellocgw.wordpress.com
"The Planck length is 3.81779e-33 picas." -- keithl
" Earth weighs almost exactly π milliJupiters" -- what-if #146, note 7

User avatar
Quizatzhaderac
Posts: 1530
Joined: Sun Oct 19, 2008 5:28 pm UTC
Location: Space Florida

Re: 1700: "New Bug"

Postby Quizatzhaderac » Wed Jun 29, 2016 5:39 pm UTC

I had one of these lighter fluid solutions earlier this week. If it was a school project it'd still probably be a b+.
cellocgw wrote:The 3 principles of that company who worked this problem are all deceased now.
The infamous sixth sigma: Death is the price for failure.
The thing about recursion problems is that they tend to contain other recursion problems.

User avatar
flicky1991
Like in Cinderella?
Posts: 720
Joined: Fri Feb 11, 2011 3:36 pm UTC
Location: London

Re: 1700: "New Bug"

Postby flicky1991 » Wed Jun 29, 2016 5:58 pm UTC

Himself wrote:For a moment I thought the punchline would be that the bug was an actual insect.
He's done that before though. Strip 1493.
any pronouns
----
Forum Games Discord
(tell me if link doesn't work)

User avatar
Himself
Posts: 147
Joined: Sat Aug 27, 2011 4:17 am UTC

Re: 1700: "New Bug"

Postby Himself » Wed Jun 29, 2016 7:20 pm UTC

Yeah though given the theme of late it would be interesting if this guy's inept programming would lead to insects infesting his computer.
"Looking me am a civilization person"
-Ratio Tile

Apeiron
Posts: 118
Joined: Tue Feb 12, 2008 5:34 pm UTC

Re: 1700: "New Bug"

Postby Apeiron » Thu Jun 30, 2016 12:52 pm UTC

Ones... the plural of ONE.

User avatar
vodka.cobra
Posts: 370
Joined: Thu Mar 27, 2008 6:50 pm UTC
Location: Florida
Contact:

Re: 1700: "New Bug"

Postby vodka.cobra » Fri Jul 01, 2016 3:11 pm UTC

I've had several people independently ask me if this comic was inspired by my Github comments over the years, especially when reporting security vulnerabilities.

Suffice to say, this is now my favorite XKCD comic.
If the above comment has anything to do with hacking or cryptography, note that I work for a PHP security company and might know what I'm talking about.

User avatar
Quizatzhaderac
Posts: 1530
Joined: Sun Oct 19, 2008 5:28 pm UTC
Location: Space Florida

Re: 1700: "New Bug"

Postby Quizatzhaderac » Tue Jul 05, 2016 4:46 pm UTC

Apeiron wrote:Ones... the plural of ONE.
Yes? If you were learning English on duolingo the word "ones" would be, like, the second week. It's a perfectly grammatical form that is also necessary to describe multiple discrete items in a context specific way.
The thing about recursion problems is that they tend to contain other recursion problems.


Return to “Individual XKCD Comic Threads”

Who is online

Users browsing this forum: Baidu [Spider] and 23 guests