@sun Ah yes, proprietary data handling software that can't handle spaces or UTF-8 (in decent software you just memcpy the password into the format the salting and hashing function requires and such function doesn't care if it has spaces or multibyte characters it in).
That's a possible code injection vulnerability I reckon - you just need to bypass the client side checks.
@romin@Suiseiseki if a site tells me that I can't have spaces (even leading or trailing) I assume that my data is touching a shell script somewhere lol
@Suiseiseki@sun >in decent software you just memcpy the password into the format the salting and hashing function requires and such function doesn't care if it has spaces or multibyte characters it in you can't do that, you need to normalize the unicode string first, that'd be awful software :l_sigh:
@romin@Suiseiseki you are right about unicode I just meant specifically from the image about leading or trailing spaces. it's probably just to prevent copy-paste mistakes but I'm still wary.
@sun@Suiseiseki nah recall that there are multiple space characters in unicode, nips have onefor instance, this is 200% a "don't wanna handle unicode strings" issue
@charliebrownau Watching the video, despite good intentions, you're unfortunately confusing people who have likely never heard of the concept of software freedom by giving them the wrong ideas.
If you release further videos, please consider how it's everyone's duty when it comes to beginners to get the information across in a non-confusing manner.
This requires defining and differentiating between free software, "open source", proprietary and commercial software and making sure to use the correct term every time and also making sure to refer to GNU/Linux as GNU/Linux, or your preferred separator or any preferred correct name (LiGNUx for example) - sure this takes 2-3 minutes, but it's certainly worth it.
>open source document creation What does this even mean? Can you define it?
The only definition for "open source" I've found refers to the licensing of source code; https://opensource.org/osd and the 10 requirements aren't too bad, but such definition still ends up falling short when it comes to software freedom - after all, the "OSI" has approved multiple proprietary licenses.
Going off the only definition I've found, as most documents don't have source code, it's usually nonsensical to apply "open source" to document authorship.
>available information to everyone for free Why would the freedom of this sort of general information be restricted to the point that payment would be required?
What license is the video under? I hope you selected a freedom-respecting one.
>Linux mascot (Tux) in the right corner Can you explain the relevance of including this logo?
Despite it being the poster child of "open source", Linux is NOT "open source", as it isn't even completely source-available.
>both open code and closed code software What does this mean?
I guess you're abbreviated "open source code software and closed source code software", but that's a very strange way to differentiate between the freedom of free software and the malice of proprietary software.
The main issue I see that the "CommunityServer" is mostly C#, which means that such software is trapped to proprietary software from microsoft, despite how the source code itself is free, but I see limited amounts of C# in other implementations, which hopefully would be only be for the proprietary "integrations", which the exclusion of is a feature.
I guess you are pointing out the issues of the SaaSS version of "Only Office", which is indeed free software for them, but the way that was conveyed would be confusing for everyone not on my level.
>LibreOffice is not available to everyone for free LibreOffice is not merely gratis - it's libre.
It's free software available under either the Lesser GNU GPL version 3 or the Mozilla Public License version 1.1.
Although it's typically available gratis, you may sell it for any price if you can find a buyer.
>Available for Linux The dependency list is huge, but a direct and indirect dependency is GNU gettext and gnupg (via gpgme), which makes it available for GNU/Linux.
>portableapps.com is a great site to get various software That site doesn't seem that great as it lists quite a few proprietary software programs as "(freeware)" and but doesn't give any further details as to what that entails.
If I was to recommend that site, I would point out it also includes some malware that's marked as "freeware".
>If you run a business you have to train people to use different sorts of software A military compared microsoft office and libreoffice and found out that they were the same training and usability wise.
>microsoft and other commercial software out there You're confusing commercial and proprietary.
>you can add passwords ... with other software to libreoffice documents LibreOffice does include a built-in password feature, which is now reasonably secure.
Gnumeric is free software under the GNU GPL version 2 and it's developed for GNU only - considering the GNU right there in the name.
HomeBank is GPLv2 and depends on GNU gettext.
According to wikipedia, keepass is GPLv2-or-later but seeing how version 2+ is written in C#, that version is probably proprietary.
> you can't do that, you need to normalize the unicode string first,
I put control characters in some of my passwords. I would be pissed if something tried to normalize it to UTF-8. It is a bytestring, you reduce the entropy if you normalize it, and hash functions don't care.
@white_male No, as the lowest byte on UTF-16 may be larger than 128 and it may even be the NULL char (which truncates C character arrays) and UTF-16 characters may 4 bytes wide.
Aside from a few exceptions like the byte order mark, all valid UTF-16 character sequences map with a UTF-8 codepoint, but you'll need to use something like GNU iconv to convert it.
Still, UTF-16 is a useless encoding, as it leads to a lager filesize than UTF-8 almost always (even for books in Chinese characters, as typically there is much more ASCII formatting than text in book formats as ASCII characters double in size when encoded as UTF-16), it's still multi-width (2 or 4 bytes wide), is not self-synchronizing and has big endian and little endian variants.
@p@Suiseiseki If there is a problem, it would be different browser and OS environments possibly passing shit as UTF16-LE or UTF16-BE when you expect UTF-8.
So while you typed the same chars the bytes are different.
@ignaloidas oh that is true I forgot that for example there are characters with the accent embedded and there are multibyte characters that are a base character, join character, and accent character.
@sun@shitposter.world tbh I'd think it's mostly that the users don't accidentally make passwords that aren't possible to enter on every device - if you use letters with accents for examples, there can be multiple ways to represent that, and it won't hash to the same thing.
@sun No spaces and a tightly-controlled set of characters sounds like they have some legacy applications using the same password. I still remember seeing "8-12 characters, a-z, A-Z, 0-9" long after that was no longer appropriate, and I'm certain the reason was to allow access to legacy applications using the same account.