The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,839 other subscribers

Archive for the ‘Software Development’ Category

« Previous Entries
Next Entries »

Cynefin framework – Wikipedia

Posted by jpluimers on 2020/09/02

A long while ago, Kristian Köhntopp explained most of the categories in [WayBackCynefin framework – Wikipedia using very simple terms, which I have translated like below.

  • Specifications work if you are operating in in “Obvious”. Then all constraints are discoverable and known.
  • In “Disorder” (the middle, or “Explorative”) that is not possible and you have to iterate to .
  • In “Complicated” the constraints are, after all, static.
  • In “Complex”, the active constraints depend on past decisions made.
  • In “Chaotic”, there is no plan and you have to try around wild and see what’s going on. This is the world of venture capital to finance start-ups.

I like the bigger picture below a lot better, as it at least names the “Disorder” middle section which is not in the summary diagram on the right. “Disorder” is exactly the place you want to get and stay out of.

All pictures from WikiMedia.

Via: [WayBack] “Kitzel mich!” “Kitzel mich, aber nur bis ich Stop rufe!” “Kitzel mich, aber nur bis ich Stop rufe! Und unter der Bettdecke bin ich sicher!” “Kitzel m… – Kristian Köhntopp – Google+

(“Tickle Me!” “Tickle me, but only until I stop calling!” “Tickle me, but only until I call Stop! And under the blanket, I’m safe!” “Tickle me, but only until I call Stop! And under the blanket, I’m safe! And pulling away the blanket is forbidden!” The son is bound to become a software developer.)

“Obvious” is what a lot of (government) organisations think you and they are in when applying regulations. In reality, “Complex” likely applies best.

–jeroen

Read the rest of this entry »

Posted in Development, Software Development | Leave a Comment »

Delphi consensus: interface implementing classes expose methods at private or protected level.

Posted by jpluimers on 2020/09/02

Interesting consensus at which is very similar to my experience: [WayBack] I’ve inherited a project and the developer uses lots of interfaces (All good here!). Then when they develop the interfaced classes, the methods from th… – John Kouraklis – Google+

Some go even further and even declare the classes in implementation sections, but for me that gives too much RTTI hassle:

Private types (types in the implementation section of units) do not get qualified names.

via: Delphi: TRttiContext.GetType versus TRttiContext.GetTypes is not about singular versus plural…

–jeroen

Posted in Delphi, Development, Software Development | Leave a Comment »

hash – Why is Git not considered a “block chain”? – Stack Overflow

Posted by jpluimers on 2020/09/01

Still an interesting question: [WayBackhash – Why is Git not considered a “block chain”? – Stack Overflow.

With my limited knowledge of both, I think git is a Merkle tree without both a proof of work and consensus system. That would make it the chain part of block chain, and the without bits the block.

How wrong am I?

 

It seems I still have a lot to learn about Merkle tree related stuff, so on my research list:

–jeroen

Posted in Development, DVCS - Distributed Version Control, git, LifeHacker, Power User, Software Development, Source Code Management | Leave a Comment »

The iron triangle of planning | Atlassian

Posted by jpluimers on 2020/09/01

The traditional iron triangle of planning is turned up-side down when being agile: [WayBack] The iron triangle of planning | Atlassian.

On the left, the traditional triangle, on the right the agile one.

Via: [WayBack] The iron triangle of planning The Agile Coach – Marjan Venema – Google+

–jeroen

Posted in Agile, Development, Software Development | Leave a Comment »

What’s the piece of Delphi knowledge you find yourself looking up over and over again…

Posted by jpluimers on 2020/08/31

From an interesting thread at [WayBack] What’s the piece of Delphi knowledge you find yourself looking up over and over again? For me format strings is probably the thing that most stubbornly… – Lachlan Gemmell – Google+

On the generics side, I have wrote a few bits in my blog before, often pointing to information by others (many by Stefan Glienke as his skills on this topic are beyond excellent):

And on records:

There are some very good books on Delphi though that dig deeper than the documentation:

–jeroen

Posted in Conference Topics, Conferences, Delphi, Development, Event, Software Development | 4 Comments »

Debugging is like being the detective in a crime movie where you are also the…

Posted by jpluimers on 2020/08/27

[WayBack] Debugging is like being the detective in a crime movie where you are also the murderer. ROFL. You can grab it from Amazon https://goo.gl/SDP8fU – Markus Korsmeier – Google+

Edit: 20240818 – this shows the drawbacks of using redirecters: the Cyberciti one to which Googl redirects was already dead before Googl got shut down completely:

web.archive.org/web/20221206133240/https://goo.gl/SDP8fU -> https://web.archive.org/web/20221206133240/https://www.cyberciti.biz/go/a/Tshirt-Debugging-is-like-being-the-detective.php -> www.cyberciti.biz/go/a/Tshirt-Debugging-is-like-being-the-detective.php -> www.cyberciti.biz

--jeroen

Read the rest of this entry »

Posted in Debugging, Development, Fun, Quotes, Software Development, T-Shirt quotes | Leave a Comment »

Password hashing on client side is insecure · Issue #44 · meteor/meteor-feature-requests · GitHub and some bcrypt notes

Posted by jpluimers on 2020/08/26

Some interesting bits from [WayBack] Password hashing on client side is insecure · Issue #44 · meteor/meteor-feature-requests · GitHub by tysonclugg:

Stop with the client side hashing – it’s security theatrics. Submit plain text passwords over TLS. The focus should be on having TLS enabled by default, and making sure the server has a sufficient amount of cryptographic work-factor during authentication to render brute-force attacks ineffective (eg: use server-side bcrypt).

Honestly, javascript password shenanigans in the browser is as dumb as backing up HOTP/TOTP secrets from your 2FA app in case you lose your phone. Hint: that changes “something you have” into “something you know”, authenticating with two things you know is single factor authentication. And yet, a group of “smart people” created an app that allows just that. Don’t be another one of those “smart people”.

If you’re still unsure about ditching client-side password hashing, have a read on what others have said:

  1. https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/august/javascript-cryptography-considered-harmful/
  2. http://thisinterestsme.com/client-side-hashing-secure/
  3. https://security.stackexchange.com/questions/53594/why-is-client-side-hashing-of-a-password-so-uncommon
  4. https://cybergibbons.com/security-2/stop-doing-client-side-password-hashing/
  5. https://www.reddit.com/r/crypto/comments/375lor/is_client_side_hashing_of_passwords_viable_to/
    5.1. One of the comments specifically mentions SRP, but goes on to say:

You’ll probably be interested in the Secure Remote Password protocol (SRP). It uses a variant of the Diffie-Hellman key negotiation protocol to simultaneously authenticate the client with the server, the server with the client, and establish a session key for sending secrets between the client and server. It’s not very useful with web applications, because you still have to trust the encrypted channel to deliver the right version of the JavaScript to manage the communication. It could be useful for other client/server applications, where the client application can be verified and isn’t retransmitted every session.

If you’re still not convinced after reading all of the above, I’d suggest you contact a notable cryptographer for further advice. Prof. David A. Wagner might be a good choice.

Meanwhile, client side password hashing hinders upgrades to the password hashing scheme, and nothing has been done.

Hindering, not preventing. Of course you can send many hashed variants of the password from the client to the server to account for whichever legacy hash exists in the DB, but in my that weakens the system by allowing many hashes to be submitted simultaneously (or in short order) with no work factor. The result is that brute forcing an account becomes much easier.

and in [WayBack] Password hashing on client side is insecure · Issue #4363 · meteor/meteor · GitHub:

On compatibility (the reason I visited the Meteor password hashing code in the first place), upgrading to new hashing algorithms (which MUST be done from time to time) is much easier if the plaintext password is passed to the server, and transparent to the client as no new API is required to handle the case of upgrading from an old hash to a new hash. The generally accepted means of storing hashes is “$” such as “pbkdf2_sha256$15000$ZLpQISRxzhY0$fxrQcKxhkG//nHg10NrkulhvWkAqWbWeQg4QeD7c59E=
This is a PBKDF2 hash for the password “pass” which includes the number of rounds, the salt and the resultant hash ready to be verified and upgraded if required, for example by increasing the number of rounds from 150000 to 250000, or ready to be swapped to a different algorithm altogether (eg: pbkdf2_sha512).

NIST in 2017 on key derivation functions:

In June 2017, NIST issued a new revision of their digital authentication guidelines, NIST SP 800-63B-3,[12]:5.1.1.1 stating that: “Verifiers SHALL store memorized secrets [i.e. passwords] in a form that is resistant to offline attacks. Memorized secrets SHALL be salted and hashed using a suitable one-way key derivation function. Key derivation functions take a password, a salt, and a cost factor as inputs then generate a password hash. Their purpose is to make each password guessing trial by an attacker who has obtained a password hash file expensive and therefore the cost of a guessing attack high or prohibitive.” and that “The salt SHALL be at least 32 bits in length and be chosen arbitrarily so as to minimize salt value collisions among stored hashes.”

It looks like Argon2 is better than bcrypt and PBKDF2_SHA512. The 2017 hashing speed table:

sha1: 68.000.000.000 hash/s
sha256: 23.000.000.000 hash/s
sha512: 8.600.000.000 hash/s
sha3: 6.500.000.000 hash/s
bcrypt(5): 105.700 hash/s(for work factor 15 it’s {\displaystyle {\frac {105700}{2^{15-5}}}=103} hash/sec)
sha256crypt: 3.100.000 hash/s
And with stretching:
pbkdf2-sha1(1000 r): 26.000.000 hash/s
pbkdf2-sha256: 9.400.000 hash/s
pbkdf2-sha512: 3.400.000 hash/s

Also, one commenter mentioned that using future telling skills we expect that hash values improve 55% annually, which is exciting and scary at once. —grin 13:51, 10 October 2017 (UTC)

The cost is confirmed at [WayBack] bcrypt cost 10/12/14 brute force time? – Information Security Stack Exchange, so in 2020 it should be somewhere around the 12-14 range.

Moore’s law does not fully apply any more for single core performance, but there are other potential optimisations, and it is unclear how future hash attacks will improve, so it is better to use a mini-bench mark to calculate a good cost, see:

Delphi implementations:

Via:

Further reading:

–jeroen

Posted in Development, Hashing, Power User, Security, Software Development | Leave a Comment »

“Fatal: F1027 Unit not found: ‘System.pas’ or binary equivalents (.dcu)”

Posted by jpluimers on 2020/08/25

If you ever get a “Fatal: F1027 Unit not found: ‘System.pas’ or binary equivalents (.dcu)” – Google Search, then it is likely because you:

  1. build from a script
  2. build use a user that has never ran the Delphi IDE

This is common for unattended builds (like build-automation).

For each run, the Delphi IDE will save an EnvOptions.dproj with global settings.

Since build scripts should not rely on global settings, you need to ensure those are in your project settings.

Some background reading on this:

–jeroen

Posted in Delphi, Development, Software Development | Leave a Comment »

Spring4D – Shared, Weak references

Posted by jpluimers on 2020/08/25

In addition to Shared/IShared, there is also Weak/IWeakReference in Spring.pas; these blog post explain more about them:

Related: If you were using Managed / IManaged in Spring4D, be aware they got renamed to Shared / IShared.

–jeroen

Posted in Conference Topics, Conferences, Delphi, Development, Event, Software Development | Leave a Comment »

10 Tips on How to be a Great Programmer – Java, SQL and jOOQ.

Posted by jpluimers on 2020/08/25

Interesting thoughts: [WayBack10 Tips on How to be a Great Programmer – Java, SQL and jOOQ.

Via: [WayBack] The bitterness of poor quality remains long after the sweetness of low price is forgotten — Benjamin Franklin (not sure this is true, could not find a source) – Thomas Mueller (dummzeuch) – Google+

–jeroen

Posted in Conference Topics, Conferences, Development, Event, Software Development | Leave a Comment »

« Previous Entries
Next Entries »