Editing 1700: New Bug
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 8: | Line 8: | ||
==Explanation== | ==Explanation== | ||
− | + | {{incomplete|How does salting with emoji fix the unicode-handling bug in the URL request library? Does it really? Additionally, this explanation requires a thorough grammar and spelling fix from the fourth paragraph onward.}} | |
− | Cueball | + | [[Cueball]] asks if an off-panel character can look at his bug report. The person asks if it's a "normal one" and not a "horrifying" one which "proves that the whole project is broken beyond repair and should be burnt to the ground". This implies that there have been reports of the "horrifying" variety in the past. |
− | + | Cueball promises that it is a normal one but it turns out that the server crashes when a user's password is a resolvable URL, which implies that the server is in some way attempting to resolve passwords as if they were URLs. A resolvable URL is one that is syntactically correct and refers to a find-able and accessible resource on the internet (i.e. does not return a {{w|HTTP_404|404 error}} or equivalent when resolved). This can be because it contains a {{w|Fully_qualified_domain_name|fully qualified domain name}} or a valid ip address, and optionally (in either case) a resource that exists on the destination server. | |
− | + | Also, Cueball specifically states that the server is crashing, rather than his application. While this could be an example of misused terminology on the part of Cueball or Randall, given Cueball's history his choice of terms is probably accurate. In the context of web services the server refers to either the computer itself or the program that responds to web requests and executes the user's (i.e. Cueball's) application. Cueball would be in charge of building the application. The importance of this distinction is that a typical system has safe guards in place at many levels to prevent a misbehaving application from crashing anything other than itself. So for his application to crash the server (either the computer itself or the server software hosting his application) would require his application to be operating in a way far outside of the norm. Alternatively, the project might include its own server software without the safeguards. | |
− | + | While there appears to be little reason for the code that processes passwords to attempt to resolve the input string as a URL, a common function in password programs is assessing the strength of a password using a combination of heuristics to test for uniqueness, length, good use of mixed characters and dictionary lookups for common words. This password function would appear to have extended the lookups to {{w|DNS}} names and URLs, so people choosing a password like "XKCD.com" would be given a low strength score, even though no part of it is a dictionary word and it contains both upper case, lower case and punctuation. However, accessing the internet in a function like password validation opens up not only the possibility of new bugs like the one mentioned, but also a completely new set of issues which are risky for a security function such as password checking. Realising the proliferation of new security issues, the off-panel person gives up and decides that burning the project to the ground is the only solution, telling Cueball ''I'll get the {{w|Charcoal_lighter_fluid|lighter fluid}}''. | |
− | + | In the title text another two issues with Cueball's program are mentioned, together with a possible solution that would fix all three problems at once. The second problem is a unicode-handling bug in the URL request library, and the third is that the passwords are stored unsalted. {{w|Salt (cryptography)|Salting}} passwords increases security in the event that the database is compromised by ensuring that users with the same password will not have the same password hash. This makes some attacks that can be used to crack hash databases, such as {{w|Rainbow table|rainbow tables}}, effectively impossible. | |
− | + | The proposed solution is to salt the passwords with {{w|emoji}}, which is claimed to solve all three issues at once. When the passwords are salted with emoji, the URL request library will fail to resolve any (salted) passwords because emoji are not valid characters in URLs. Since the server only crashes on ''resolvable'' URLs, this should mean the server won't crash anymore. In addition, the passwords will now be salted. | |
− | + | Given that this comic comes only five comics after [[1695: Code Quality 2]] it seems likely that the off-panel person is [[Ponytail]] and as could be seen in the first of those two comics, [[1513: Code Quality]], the perpetrator is indeed Cueball. In the title text of the first, using emoji in variable names is mentioned. | |
− | + | In [[1349: Shouldn't Be Hard]] Cueball is also programming and finding it very difficult, although he thinks it should be easy. An off-panel person suggests burning the computer down with a blowtorch, much like the off-panel person in this one suggests burning the whole project (including the computer) to the ground with lighter fluid. In the next comic, with multiple storylines [[1350: Lorenz]], one [http://xkcd.com/1350/#p:2ed958de-badf-11e3-8001-002590d77bdd story line] results in a computer being [http://www.explainxkcd.com/wiki/images/a/a6/lorenz_-_laptop_9.png burned with a blow torch]. | |
==Transcript== | ==Transcript== | ||
Line 34: | Line 34: | ||
:Off-panel voice: Is this a '''normal''' bug, or one of those horrifying ones that prove your whole project is broken beyond repair and should be burned to the ground? | :Off-panel voice: Is this a '''normal''' bug, or one of those horrifying ones that prove your whole project is broken beyond repair and should be burned to the ground? | ||
− | :[Zoom in on | + | :[Zoom in on Cueballs head and upper torso.] |
:Cueball: It's a normal one this time, I promise. | :Cueball: It's a normal one this time, I promise. | ||
:Off-panel voice: OK, what's the bug? | :Off-panel voice: OK, what's the bug? | ||
Line 43: | Line 43: | ||
{{comic discussion}} | {{comic discussion}} | ||
+ | |||
[[Category:Comics featuring Cueball]] | [[Category:Comics featuring Cueball]] | ||
[[Category:Computers]] | [[Category:Computers]] | ||
[[Category:Programming]] | [[Category:Programming]] | ||
− | |||
− | |||
− |