Conversation

Notices

1. Embed this notice
   Fish of Rage (sun@shitposter.world)'s status on Sunday, 12-May-2024 17:14:24 JST Fish of Rage
   no spaces or multi-byte characters is a new one for me.
   • Embed this notice
     「セル」cell (سل) (cell@pl.ebin.zone)'s status on Sunday, 12-May-2024 17:21:32 JST 「セル」cell (سل)

     in reply to

     • 「セル」cell (سل)
     @sun was it iso-8859-1?
     Fish of Rage likes this.
   • Embed this notice
     「セル」cell (سل) (cell@pl.ebin.zone)'s status on Sunday, 12-May-2024 17:21:33 JST 「セル」cell (سل)

     in reply to
     @sun what 8-bit ascii extension does utf-8 conform to?
   • Embed this notice
     Zergling_man (zergling_man@sacred.harpy.faith)'s status on Sunday, 12-May-2024 17:22:07 JST Zergling_man

     in reply to

     • Zergling_man
     @sun Actually 🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔🤔 would be a pretty secure password.
     Fish of Rage likes this.
   • Embed this notice
     Zergling_man (zergling_man@sacred.harpy.faith)'s status on Sunday, 12-May-2024 17:22:09 JST Zergling_man

     in reply to
     @sun Well fuck you too, I want to use 🤔 in my password for maximum security.
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Sunday, 12-May-2024 17:23:33 JST 翠星石

     in reply to
     @sun Ah yes, proprietary data handling software that can't handle spaces or UTF-8 (in decent software you just memcpy the password into the format the salting and hashing function requires and such function doesn't care if it has spaces or multibyte characters it in).
     
     That's a possible code injection vulnerability I reckon - you just need to bypass the client side checks.
   • Embed this notice
     Fish of Rage (sun@shitposter.world)'s status on Sunday, 12-May-2024 17:59:40 JST Fish of Rage

     in reply to

     • 翠星石
     • ロミンちゃん
     @romin @Suiseiseki if a site tells me that I can't have spaces (even leading or trailing) I assume that my data is touching a shell script somewhere lol
   • Embed this notice
     ロミンちゃん (romin@shitposter.world)'s status on Sunday, 12-May-2024 17:59:41 JST ロミンちゃん

     in reply to

     • 翠星石
     @Suiseiseki @sun
     >in decent software you just memcpy the password into the format the salting and hashing function requires and such function doesn't care if it has spaces or multibyte characters it in
     you can't do that, you need to normalize the unicode string first, that'd be awful software :l_sigh:
   • Embed this notice
     Fish of Rage (sun@shitposter.world)'s status on Sunday, 12-May-2024 18:03:57 JST Fish of Rage

     in reply to

     • 翠星石
     • ロミンちゃん
     @romin @Suiseiseki you are right about unicode I just meant specifically from the image about leading or trailing spaces. it's probably just to prevent copy-paste mistakes but I'm still wary.
   • Embed this notice
     ロミンちゃん (romin@shitposter.world)'s status on Sunday, 12-May-2024 18:03:58 JST ロミンちゃん

     in reply to

     • 翠星石
     @sun @Suiseiseki nah recall that there are multiple space characters in unicode, nips have onefor instance, this is 200% a "don't wanna handle unicode strings" issue
     Fish of Rage likes this.
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Sunday, 12-May-2024 18:41:47 JST 翠星石

     in reply to

     • charliebrownau
     @charliebrownau Watching the video, despite good intentions, you're unfortunately confusing people who have likely never heard of the concept of software freedom by giving them the wrong ideas.
     
     If you release further videos, please consider how it's everyone's duty when it comes to beginners to get the information across in a non-confusing manner.
     
     This requires defining and differentiating between free software, "open source", proprietary and commercial software and making sure to use the correct term every time and also making sure to refer to GNU/Linux as GNU/Linux, or your preferred separator or any preferred correct name (LiGNUx for example) - sure this takes 2-3 minutes, but it's certainly worth it.
     
     >open source document creation
     What does this even mean? Can you define it?
     
     The only definition for "open source" I've found refers to the licensing of source code; https://opensource.org/osd and the 10 requirements aren't too bad, but such definition still ends up falling short when it comes to software freedom - after all, the "OSI" has approved multiple proprietary licenses.
     
     Going off the only definition I've found, as most documents don't have source code, it's usually nonsensical to apply "open source" to document authorship.
     
     >available information to everyone for free
     Why would the freedom of this sort of general information be restricted to the point that payment would be required?
     
     What license is the video under? I hope you selected a freedom-respecting one.
     
     >Linux mascot (Tux) in the right corner
     Can you explain the relevance of including this logo?
     
     Despite it being the poster child of "open source", Linux is NOT "open source", as it isn't even completely source-available.
     
     >both open code and closed code software
     What does this mean?
     
     I guess you're abbreviated "open source code software and closed source code software", but that's a very strange way to differentiate between the freedom of free software and the malice of proprietary software.
     
     >Closed Source Office Suites - ... Only Office ...
     Only office is free software, licensed under the GNU Affero GPL version 3 only, although it is advertised as SaaSS, with most people seemingly not self-hosting it;
     https://en.wikipedia.org/wiki/OnlyOffice?useskin=monobook
     https://www.gnu.org/philosophy/who-does-that-server-really-serve.html
     https://www.gnu.org/licenses/agpl-3.0.html
     
     The main issue I see that the "CommunityServer" is mostly C#, which means that such software is trapped to proprietary software from microsoft, despite how the source code itself is free, but I see limited amounts of C# in other implementations, which hopefully would be only be for the proprietary "integrations", which the exclusion of is a feature.
     
     I guess you are pointing out the issues of the SaaSS version of "Only Office", which is indeed free software for them, but the way that was conveyed would be confusing for everyone not on my level.
     
     >LibreOffice is not available to everyone for free
     LibreOffice is not merely gratis - it's libre.
     
     It's free software available under either the Lesser GNU GPL version 3 or the Mozilla Public License version 1.1.
     
     Although it's typically available gratis, you may sell it for any price if you can find a buyer.
     
     >Available for Linux
     The dependency list is huge, but a direct and indirect dependency is GNU gettext and gnupg (via gpgme), which makes it available for GNU/Linux.
     
     >portableapps.com is a great site to get various software
     That site doesn't seem that great as it lists quite a few proprietary software programs as "(freeware)" and but doesn't give any further details as to what that entails.
     
     If I was to recommend that site, I would point out it also includes some malware that's marked as "freeware".
     
     >If you run a business you have to train people to use different sorts of software
     A military compared microsoft office and libreoffice and found out that they were the same training and usability wise.
     
     >microsoft and other commercial software out there
     You're confusing commercial and proprietary.
     
     https://www.gnu.org/philosophy/free-sw.en.html#selling
     
     >you can add passwords ... with other software to libreoffice documents
     LibreOffice does include a built-in password feature, which is now reasonably secure.
     
     Gnumeric is free software under the GNU GPL version 2 and it's developed for GNU only - considering the GNU right there in the name.
     
     HomeBank is GPLv2 and depends on GNU gettext.
     
     According to wikipedia, keepass is GPLv2-or-later but seeing how version 2+ is written in C#, that version is probably proprietary.
     
     ghostwriter is GPLv3-or-later
   • Embed this notice
     charliebrownau (charliebrownau@poa.st)'s status on Sunday, 12-May-2024 18:41:48 JST charliebrownau

     in reply to

     • 翠星石
     @Suiseiseki @sun Gday
     
     Just uploaded a video on
     Opensource Document Creation
     poast.tv/w/rszBs6VGRWZzGqF1SM7BA5
     
     I recently came across
     Plain Text Accounting , sounds good and able to cross platform data
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Sunday, 12-May-2024 18:43:29 JST 翠星石

     in reply to

     • ロミンちゃん
     @romin A user typing in a non-normalized string is user error tbh.
     
     Sure you can pass it though a normalization function too.
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Sunday, 12-May-2024 18:54:11 JST 翠星石

     in reply to

     • charliebrownau
     @charliebrownau Then just say GNU then - it's shorter and it's not incorrect.
     
     I'm not being pedantic - Linux is only a kernel and is not usable unless you at least add systemd; https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/init/main.c#n1494
     
     If you insist on repeating that error because it's a "nice sounding" buzzword, please at least avoid making the other errors.
   • Embed this notice
     charliebrownau (charliebrownau@poa.st)'s status on Sunday, 12-May-2024 18:54:12 JST charliebrownau

     in reply to

     • 翠星石
     @Suiseiseki The average sheeple wouldnt care fucking less about
     
     Linux vs GNU/Linux term
     
     Its hard enough getting them off Windows
     let alone being pandic about Word definitions
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Sunday, 12-May-2024 18:57:50 JST 翠星石

     in reply to

     • pistolero
     @p Extended ASCII is of differing behavior between systems and is not valid UTF-8.
     
     An error-checking implementation should reject that input for not being valid UTF-8.
   • Embed this notice
     pistolero (p@fsebugoutzone.org)'s status on Sunday, 12-May-2024 18:57:51 JST pistolero

     in reply to

     • 翠星石
     • ロミンちゃん
     @romin @Suiseiseki @sun If I use high-ASCII, I don't want it normalized.
   • Embed this notice
     pistolero (p@fsebugoutzone.org)'s status on Sunday, 12-May-2024 18:57:52 JST pistolero

     in reply to

     • 翠星石
     • ロミンちゃん
     @romin @Suiseiseki @sun
     
     > you can't do that, you need to normalize the unicode string first,
     
     I put control characters in some of my passwords. I would be pissed if something tried to normalize it to UTF-8. It is a bytestring, you reduce the entropy if you normalize it, and hash functions don't care.
   • Embed this notice
     ロミンちゃん (romin@shitposter.world)'s status on Sunday, 12-May-2024 18:57:52 JST ロミンちゃん

     in reply to

     • 翠星石
     • pistolero
     @p @Suiseiseki @sun control characters aren't multi-byte, they aren't wiped out by normalization as they're utf8 compatible
   • Embed this notice
     pistolero (p@fsebugoutzone.org)'s status on Sunday, 12-May-2024 18:59:56 JST pistolero

     in reply to

     • 翠星石
     • ロミンちゃん
     @romin @Suiseiseki @sun What, are we talking about webapps?
     
     Nevermind.
   • Embed this notice
     pistolero (p@fsebugoutzone.org)'s status on Sunday, 12-May-2024 18:59:56 JST pistolero

     in reply to

     • 翠星石
     • ロミンちゃん
     • pistolero
     @romin @Suiseiseki @sun Wait, hold on, their database shouldn't *see* the password. It's supposed to get hashed way before then.
     Fish of Rage likes this.
   • Embed this notice
     ロミンちゃん (romin@shitposter.world)'s status on Sunday, 12-May-2024 18:59:57 JST ロミンちゃん

     in reply to

     • 翠星石
     • pistolero
     @p @Suiseiseki @sun well tough luck if their database isn't using the right character set
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Sunday, 12-May-2024 19:05:06 JST 翠星石

     in reply to

     • pistolero
     @p It's nothing to do with Unicode, it's how using entended-ASCII is almost guaranteed to cause problems when it comes to later password entry.
   • Embed this notice
     pistolero (p@fsebugoutzone.org)'s status on Sunday, 12-May-2024 19:05:07 JST pistolero

     in reply to

     • 翠星石
     @Suiseiseki
     
     > An error-checking implementation should reject that input for not being valid UTF-8.
     
     A hash function operates on strings of bytes. There is no need to turn it into Unicode.
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Sunday, 12-May-2024 20:11:01 JST 翠星石

     in reply to

     • white_male
     @white_male No, as the lowest byte on UTF-16 may be larger than 128 and it may even be the NULL char (which truncates C character arrays) and UTF-16 characters may 4 bytes wide.
     
     Aside from a few exceptions like the byte order mark, all valid UTF-16 character sequences map with a UTF-8 codepoint, but you'll need to use something like GNU iconv to convert it.
     
     Still, UTF-16 is a useless encoding, as it leads to a lager filesize than UTF-8 almost always (even for books in Chinese characters, as typically there is much more ASCII formatting than text in book formats as ASCII characters double in size when encoded as UTF-16), it's still multi-width (2 or 4 bytes wide), is not self-synchronizing and has big endian and little endian variants.
   • Embed this notice
     white_male (white_male@poa.st)'s status on Sunday, 12-May-2024 20:11:02 JST white_male

     in reply to

     • 翠星石
     • dobó istván
     • pistolero
     @istvan @p @Suiseiseki Isn't the lower byte of 16bit chars always backwards compatible with UTF8?
   • Embed this notice
     pistolero (p@fsebugoutzone.org)'s status on Sunday, 12-May-2024 20:11:03 JST pistolero

     in reply to

     • 翠星石
     @Suiseiseki
     
     > using entended-ASCII is almost guaranteed to cause problems
     
     If it works in the places where you wish to use the password, it's fine.
   • Embed this notice
     dobó istván (istvan@noauthority.social)'s status on Sunday, 12-May-2024 20:11:03 JST dobó istván

     in reply to

     • 翠星石
     • pistolero

     @p @Suiseiseki If there is a problem, it would be different browser and OS environments possibly passing shit as UTF16-LE or UTF16-BE when you expect UTF-8.

     So while you typed the same chars the bytes are different.

   • Embed this notice
     Fish of Rage (sun@shitposter.world)'s status on Monday, 13-May-2024 06:22:08 JST Fish of Rage

     in reply to

     • Ignas Kiela
     @ignaloidas oh that is true I forgot that for example there are characters with the accent embedded and there are multibyte characters that are a base character, join character, and accent character.
   • Embed this notice
     Ignas Kiela (ignaloidas@not.acu.lt)'s status on Monday, 13-May-2024 06:22:09 JST Ignas Kiela

     in reply to

     @sun@shitposter.world tbh I'd think it's mostly that the users don't accidentally make passwords that aren't possible to enter on every device - if you use letters with accents for examples, there can be multiple ways to represent that, and it won't hash to the same thing.
     
     Honestly, a fairly reasonable restriction IMO.

   • Embed this notice
     Fish of Rage (sun@shitposter.world)'s status on Tuesday, 14-May-2024 05:29:34 JST Fish of Rage

     in reply to

     • gentoobro
     @gentoobro we discussed it the other day, it's probably just preventing copy-paste errors
   • Embed this notice
     gentoobro (gentoobro@gleasonator.com)'s status on Tuesday, 14-May-2024 05:29:35 JST gentoobro

     in reply to
     @sun

     no spaces

     um...

     um.......

     Are they shoving the password unescaped into a sql query?

   • Embed this notice
     Linux Walt (@lnxw37j1) {3EB165E0-5BB1-45D2-9E7D-93B31821F864} (lnxw37j1@gnusocial.jp)'s status on Tuesday, 14-May-2024 06:40:07 JST Linux Walt (@lnxw37j1) {3EB165E0-5BB1-45D2-9E7D-93B31821F864}

     in reply to
     @sun No spaces and a tightly-controlled set of characters sounds like they have some legacy applications using the same password. I still remember seeing "8-12 characters, a-z, A-Z, 0-9" long after that was no longer appropriate, and I'm certain the reason was to allow access to legacy applications using the same account.
   • Embed this notice
     Linux Walt (@lnxw37j1) {3EB165E0-5BB1-45D2-9E7D-93B31821F864} (lnxw37j1@gnusocial.jp)'s status on Tuesday, 14-May-2024 06:46:34 JST Linux Walt (@lnxw37j1) {3EB165E0-5BB1-45D2-9E7D-93B31821F864}

     in reply to

     • Linux Walt (@lnxw37j1) {3EB165E0-5BB1-45D2-9E7D-93B31821F864}
     @sun ... And, yes, this probably means that they are handling the unhashed password