Jump to content

AtomicMaster

Senior Members
  • Posts

    157
  • Joined

  • Last visited

Everything posted by AtomicMaster

  1. There is no best antivirus, there are better ones out there, there are worse, and usually they change for different category of attack, but there is no antivirus that will protect you from everything, look at some data (Such as this) and you quickly gain a very pessimistic perspective relatively quickly. Newp, sorry, you are wrong. And don't take that like it's ok to download torrents and pirated software, but the 99% number is completely wrong. If that however seems like a good enough reason not to patch or protect your machine, you might be in for a surprise; time-to-own on an unpatched Windows box without any user interaction was less than 4 minutes 5 years ago... No system is completely secure, that said, Unix is inherently a much more secure OS, so while viri do exist, popularity or not, they are still disproportional to the popularity of the product, compared to Windows, that said, recent versions of windows have been implementing some good security features which have been in linux kernels for many years, and so they have been making more and more secure OS. Don't take that as it's alll Microsoft's fault though, it is not, and it is a vastly complex product to secure, and they dont even hold all the levers, as it is not necessarily Apples fault either. Nope, sorry, vast majority of computers are embedded linux/unix systems.
  2. Problem is that you want to use IR like it is used in the Kinect or by the Leap controller. That is, you want to project a pattern that can then be used to determine distances to things. And without testing, i cant tell you that fog wont interfere. Another problem is that a lot of projectors emit IR, so you have to be careful there.
  3. As far as OCR software goes, multiple tests show that Tesseract and Abbyy are the best you can get to work with, you can use a tool like gscan2pdf for a more consistent test than trying to do it yourself. You should understand that this is the area where many people with doctorate degrees on the topic will be working in highly paid think tanks where they will build proprietary tools to do this well, and unfortunately OCR is not really a weekend project that one can release as open-source, or rather it is, but the results will be vastly different from the large companies that have dozens of people working on the problem. The same problem applies to voice recognition, pattern recognition, cutting edge graphics, etc. Point being that you will have better results with a proprietary technology there than you can get in an open source world, unfortunately. To your original set of questions, without going full proprietary, and even with full proprietary, you just wont get 100% results all the time, don't expect it, but you should get enough information most of the time that should make you able to categorize your info and extract information, and for most search. Like all recognition technology, you may want to implement some processes around when the program is not super sure, it just hold the info in a temporary location until you figure out where it belongs. There is a framework that fits what you are describing though: https://wiki.gnome.org/action/show/Apps/OCRFeeder?action=show&redirect=OCRFeeder
  4. The problem with an interactive illusion is multi-fold. in order to project into air or "air" you need a medium, that may be steam/fog, that may be threads, whatever it is, i needs to be reflective for the light to have a point onto which it can be projected. To make something interactive, truly interactive, you need to track people and their positions, the problem is that the only real set of ways of doing this well, requires a camera. But with a reflective medium, even lightly dispersed in the air, it makes tracking things with optics more difficult because now everything that is around the medium has an inherent blur. So usually when you have a solution for both parts of the problem that satisfies the requirement, you go about figuring out how you can put together the two decoupled solutions in a way that seems as though it is one. For example, say what you wanted to do was to project onto strings which are put together in an offset pattern, with a set of laser projectors, but you wanted the visuals to be driven by, say, a danceer. You may decouple the two, and have just that, a dancer on one side, projector and table or room of strings on the other. Maybe you wanted to project onto fog, but wanted to also have the dancer inside of it all. It may be a lot easier to create an are in the middle of the projectable surface void of fog while to everyone around it would still seem as though the dancer is dancing in a fog. (yes this requires some laminar flows, and total control of the system, but it is doable. So again, i still have no idea what you want to do, but perhaps while you are thinking about it, thinking of solving it with fermi approach, may be easier. $.02
  5. Yep, its up, I just checked it. But it does seem to be very intermittent. They do have some problems.
  6. http://www.echelman.com/project/skies-painted-with-unnumbered-sparks/ also http://www.unnumberedsparks.com/
  7. The hard part is safely decoupling the motor system while in this state, a problem not yet solved, not safely. Hospitals use very complicated and expensive chemistry, and it's not without drawbacks, so, the hardest problem i currently see is the safely decoupling and quickly and safely recoupling the motor control without causing neural damage. For everything else to be easy, you want to be able to do this while the subject is in a woken state, otherwise you will also have to work on things like producing images neurally and a slew of other problems which currently require invasive surgeries and have very low resolution. $.02
  8. The only thing that comes to mind was the recent google interactive art installation with a fabric and projector and a website that allowed people (anyone with a smart phone) to interact with the whole thing. That is just what came to mind, i have no idea what you are explaining/referring to/asking.
  9. 1) There was a defcon talk on defeating most capchas. 2) It's a get vs post issue, http://en.wikipedia.org/wiki/POST_(HTTP)
  10. Even the most proprietary systems can be described very generally, you have a quote from professor Krauss, so you should get this joke; assume a cow is a sphere...
  11. Mr. imatfaal, would it be easier/faster if i just ping you when i see stuff like this, that needs to be moved?
  12. So i do things like design and build systems and write code and also break stuff a lot. If it's not super secret, do you mind describing what you are trying to do or rather doing, and we can work some sort of a straight(ish) forward solution from that?
  13. They were being equipped and trained by the Ukraine special operations units you might remember them from the Maidan times, one of them was called Berkut, it was in the news when the new government claimed them to be less than people and disallowed the 25+ members that were injured (mostly shot and burnt) while carrying out their orders and their family members, and were being denied food, water and any medical care. Yes, due to better funding and the nature of operations SWAT units are almost always much better equipped than usual armed forces. They were quick to denounce the referendum though, which is a bit selfish having carried the same kinds of referendums in Bosnia for example from recent memory and splitting up nations with a much lower turn out and result. Also joining NATO would not have changed anything on the Crimean situation, nobody was going to provide any military support as nobody is interested in taking Crimea back by force, except maybe for Kiev, but it's not happening. I am not trying to say that i support either side on this matter, I have a firm belief that people should have a choice as to who they want to associate with, and looking at what is happening in the mainland Ukraine, i can not see why Crimeans would have made a different choice, i would like to point out that of the 80+% of people who showed up to vote, 95+% voted for reassociation, thats more people in support of the change than the percentage of people who voted in the last US elections. All i said is that the media seems to say and spin things in a particular way, and i was simply pointing out things they constantly say in a way that makes one have false impressions of reality.
  14. My only hold back on QT (and i really like PyQt) and all these frameworks is the "mobile platforms" part of the original question, hence why i suggested the web way.
  15. Ah, you see i wrote this code before php 5.3, when they implemented get_result into prepared statement, probably because of these very problems, which is why i had to go that crazy way to get results out of the stmt. Of course this is much cleaner solution than what could be done back then. This code would have to be changed in light of these updates, but i have no use for it, and i have other problems to spend my time on for the time being. That said, I think you will agree that this still works as an example of eval used cautiously; there is no user input that can lead to code injection, so it maintains code/data separation on the front end pretty well. Database servers in most deployments are almost always not directly accessible from the net, because database connections are not done over ssl or with any keying, you can almost always replay the handshake and authenticate to the database server. You don't need to open the servers to the web to run mysqladmin. And what you later describe is not a common (not even big enough to have a measurable percentage point in all deployments) deployment. I can tell you that someone trying to inject code into your applications is the least of your troubles if they are already hijacking your dns, for example marcan was dropping root on some european DSL modems with dns hijacking using built-in functionality... Besides there are other issues with that code that need work. For example better caching ids, scoping issues, better reverse-viewing for better detection of string concatenation, perhaps a way to turn the normal syntax into securely interpolated code (metaprogramming may now be available in PHP? shrug). I am certain i would approach this a bit differently today than i did years ago If you would like, I suppose we could work on that in a different thread, this discussion in this thread has gone far enough off topic to leave it here. My only note back on the original discussion is that if you notice, I understand that even though this is only a theoretical threat, this is one all the same, and it is dangerous. I am happy that there is now a much better solution that contains no eval; since one is possible. And I know how dangerous eval is even when the eval is not acting on user input, my answer to your security inquiry contains understanding the described vector, and does not contain the words "not my problem" or "filter". And most importantly, I am not dismissing everything everyone said in critique, in fact i point out even more limitations and issues that would have to be worked out before this could even be considered production-worthy.
  16. So you can own the code if you already own the back-end system... hmm... one can hope that nobody would be silly enough to expose database servers to the web, and also internal dns servers. I am not claiming that this is not a problem, as hypothetically you can break that trust, and technically you can have a more easily exploitabile system, once you have already exploited the system and control 1/2 of its back end already, but i think it solves more of a problem than it creates in regards to security by simply disallowing string interpolated queries. I just don't know of another way to solve this problem of dynamic bind of the results. Unfortunately I don't know if you can meta-program PHP, like Python or Ruby where I can do this at a level where i will not require to use eval...
  17. That doesn't work when you have "n" amount of fields returned though, i have pulled back queries with almost 100 fields, and doing this would just be silly when you have those kinds of numbers... I felt that this was safe as it only pulls back the names of the fields in the database, which can not very easily be used as a code injection point. I think there may be a different way to do this, I just dont have the time or energy necessary to spend time on this.
  18. There's a bit of a misconception about math in comp-sci field; a lot of people tend to think that high level math is necessary to solve problems, but the truth is that using the monte carlo method can often achieve results close enough to where you don't need to actually spend a lot of compute time on getting exact values. There are obviously specializations where those are not completely true statements, but there are places where it is, for example game and game engine development (i find this to be the are where this misconception applies the most). If you want to learn math, if you like math (i hate the way that math is taught), the above suggestions by Sato are very true. If you are however really unsure of what you want to work on, it seems that learning high level math is more of a solution in search of a problem. Once you outline the problem, it may be easier to determine what it is you need to learn to solve it...
  19. Samiul, you have not answered the questions i have asked, namely how do you deal with separate form builders that use the same underlying function to build code if you eval code, how do you deal with syntax highlighting in the strings, and lastly how do you deal with securing your code once you blur data/code barrier. Also what's a "big project" for you? Personally something within 4000 lines of code is what i often write for a tool, often as a relatively quick exercise, most of my web-based projects are within 50k lines of code, and most of the "big project"s i have worked on had in excess of 500k LOC where my commits can exceede a tool's worth of code. And i work on projects typically in a group of up to 8 people. If you work on projects that exceed that, perhaps i am not understanding something. The only thing I can say from my experience is that no matter how you spin it, eval always makes code a lot less manageable. It only introduces new headaches and issues which complicate usually already-complicated code. Furthermore it decreases inherent security, makes the evaluable code unreadable because syntax highlighting highlights the whole string as a string, and as soon as you add some ability for someone to push code to a database, now you cant even grep for whatever you need to find in a project. These are all unnecessary headaches that can be avoided with good design. Eval has no good side, it is an extremely dangerous mechanism that must be avoided at all cost, it is ok to use it only when no other option is available and it must be very carefully tamed. As i have shown time and time again options that are available this is not the "no other option exists" use. Here is some sample code where while I wont claim it shows the "good side" of eval, but at least in this code i wrote a few years ago, i could not find any other way to approach the solution, thus i had no choice but to use it. I was working on some research, so this is unpolished, but still: /* Explanation: Before inline interpolation (example from Mike Samuel): $stmt = $db->prepare( 'I met a ? in the ? who had a ? full of ?. He said' .' "Hello, ?, How are you today\?" "Fine," I replied' .' "but I can't seem to find my ?." "Hmm," he said.' .' "I Can\'t help you with that." "How about ? ? to' .' make you feel ?\?"'); $stmt->bind_param("sssssiss", $profession, $landmark, $container, $species_of_monkey, $proper_name, $common_household_item, $some_number, $beverage, $state_of_mind); It is secure, but its as much of a pain to read as it is to write... But what if we could just say $db->query( 'I met a ^^profession in the ^^landmark who had a ^^container full of ^^species_of_monkey. He said' .' "Hello, ^^proper_name, How are you today\?" "Fine," I replied' .' "but I can't seem to find my ^^common_household_item." "Hmm," he said.' .' "I Can\'t help you with that." "How about ^^number ^^beverage to' .' make you feel ^^state_of_mind\?"'); and still be secure without adding anything that we don't already have (like b64d function in mysql)? well, we can In addition to determining and passing data and query via separate channels, if someone tries to inline inject strings into the code or something in the query, it will fail. */ // An attempt at forcing developers to use secure string interpolation in mysql queries with some integrated caching and direct csv output. class SSIMysqli extends mysqli { // Members protected static $mysqli; protected $memcache=false, $result=false, $bind_arr=array(), $row=0, $data=null, $key=null, $vars=null; // Private Methods private function clean($vars) { $clean = array('GLOBALS', 'argc', 'argv', '_GET', '_POST', '_COOKIE', '_FILES', '_SERVER'); foreach($clean as $key) { if(@array_key_exists($key, $vars)) { unset($vars[$key]); } } return $vars; } private function output_csv(&$vals, $key, $stream) { fputcsv($stream, $vals, ',', '"'); } //Public Methods public function __construct($db = MYSQLI_DB, $host = MYSQLI_HOST, $user = MYSQLI_USER, $pass = MYSQLI_PASS, $port = MYSQLI_PORT, $mhost = MEM_SERVER, $mport = MEM_PORT, $mtime = MEM_TIMEOUT, $mctime = MEM_CONNECT_TIMEOUT, $mrtime = MEM_RETRY_TIMEOUT, $mcomp = MEM_COMPRESSION) { parent::__construct($host, $user, $pass, $db, $port); if(mysqli_connect_errno()) { error_log("Could not connect to database! Repent! The end is neigh!"); die(); } if(extension_loaded('memcached.so') && $mtime != 0){ $this->memcache = new Memcached(); if (!$this->memcache->addServer($mhost, $mport)) { error_log('Could not connect to MemCache server'); $obj = false; } else { $this->memcache->setOption(Memcached::OPT_CONNECT_TIMEOUT, $mctime); // connection timeout in milliseconds $this->memcache->setOption(Memcached::OPT_RETRY_TIMEOUT, $mrtime); // retry timeout in seconds $this->memcache->setOption(Memcached::OPT_COMPRESSION, $mcomp); // Set this to false if you ever start using memcached append } } } public function __clone() { error_log("Can't clone Mysqli!"); die(); } public function query($query, $backtrace=array(), $vars=null) { // I need this here to check cache so that i dont have to do that crazy thing down below every time before checking for cache $this->vars = (is_null($this->vars)) ? $this->clean($GLOBALS) : $this->vars; // globally defined vars $qvars = array(); // globally defined vars used in the query preg_match_all('/\^\^[a-zA-Z0-9\-_]+/m', $query, $matches); foreach($matches[0] as $var) { $var = substr($var, 2); if(array_key_exists($var, $this->vars)) { $qvars[$var] = $this->vars[$var]; } } // Check cache first if($this->memcache) { $this->key = $query; foreach($qvars as $name=>$var) { $this->key = preg_replace("/\^\^".$name."/", $var, $key_query); } $this->key = "mysql_".md5($this->key); $obj = $memcache->get($this->key); //check cache if($obj !== false) { $this->data = unserialize($obj); return true; } } // Because the point of this function is to prevent inline string concatenation, i am going to check for it. // If you remove this section, know that you are playing with fire and making the code insecure, so if anyone asks you to do it // DON'T!. I DO NOT ALLOW THE USE OF THIS CODE IF THIS SECTION IS REMOVED! This section may be modified to better fulfill its function // which is to detect and prevent concatenation of strings, specifically strings and variables in the line calling this function. // BEGIN if(!is_array($backtrace) || count($backtrace)>=0) { $backtrace = debug_backtrace(); } if(array_key_exists(0, $backtrace)) { $backtrace=$backtrace[0]; } if(!array_key_exists("file", $backtrace)) { error_log("We don't seem to have the right globals data"); return false; } $fh = file($backtrace["file"]); // All this just to deal with multi-line input and convert it to a single line (note line returns the last line in a multi-line split so this reads backwards $i=$backtrace["line"]-1; $line = ""; do { $line = preg_replace('/\s+/', ' ', $fh[$i].$line); $i--; } while(!preg_match('/[;}]\s*$/', $fh[$i]) || $i<=0); // This pulls quoted strings from a magic function call (yeah i know that wond do multi-level very well, but it will have to do for now) // then it evals it to get the value, basically this is a cheasy way to run it through php interpreter and determine if there is any // string concatenation happening there by checking the $ count before and after $pre = 0; $post = 0; if(preg_match_all('/'.$backtrace['function'].'\((.*)\)/', $line, $matches)) { foreach($matches[0] as $line) { if(preg_match_all('/["\'].*["\']/', $line, $query_matches)) { foreach($query_matches[0] as $query_match) { $pre = preg_match('/\$/', $query_match); @eval('$post='.$query_match.';'); // This should be safe as it will reference local scope variables which dont exist. and if they do, its programmer's fault and this will still not work in terms of code injection if($pre != preg_match('/\$/', $post)){ error_log("There seems to be some string concatenation in the function call in {$backtrace['file']}, at line {$backtrace['line']}, around {$query_match}"); return false; } } } else { error_log("invalid file format, please call {$backtrace['function']}(\$this_link, \"query\")"); return false; } } } else { error_log("Invalid calling line format"); return false; } // END $bind_str = ""; $bind_params = array(); $query = preg_replace('/\s+/', ' ', $query); foreach($qvars as $var => $val) { if(is_null($val)) { if(preg_match('/where.*\^\^'.$var.'/', $query)) { preg_match('/(\s[=<>!\s]*(not|is|like)*)*(\^\^'.$var.')/', $query, $matches); $comp = (preg_match('/(!|not)/',$matches[0])) ? " is not " : " is "; $query = preg_replace('/(\s[=<>!\s]*(not|is|like)*)*(\^\^'.$var.')/', $comp."NULL", $query); } else { $query = preg_replace('/(\^\^'.$var.')/', "?", $query); } } else { $query = preg_replace('/(\^\^'.$var.')/', "?", $query); switch($val){ case (is_int($val)): $bind_str .= "i"; break; case (is_float($val)): $bind_str .= "d"; break; default: $bind_str .= "s"; break; } array_push($bind_params, &$qvars[$var]); } } // Prepare and execute the query if(!$this || !preg_match('/.*mysqli.*/i',get_class($this))) { error_log("Didn't get a legitimate mysqli resource"); return false; } $this->result=$this->prepare($query); if($this->errno) { error_log($this->error); return false; } // check for mysql errors if(count($bind_params)>0) { array_unshift($bind_params, $bind_str); call_user_func_array(array($this->result,'bind_param'), $bind_params); if($this->result->errno) { error_log($this->result->error); return false; } // again } $this->result->execute(); if($this->result->errno) { error_log($this->result->error); return false; } // and again $this->result->store_result(); // This will bind the result array if(!$fields = $this->result->result_metadata()) { error_log("The result contains no data." . $this->result->error); return false; } if(!$fields = $fields->fetch_fields()) { error_log("Could not fetch fields: " . $this->result->error); return false;} $bind_cmd = '$this->result->bind_result('; foreach($fields as $field) { $bind_cmd .='$this->bind_arr[\''.$field->name.'\'],'; } $bind_cmd = substr($bind_cmd, 0, -1).");"; eval($bind_cmd); return true; } private function fetch_array($type=NULL, $prefix=NULL, $postfix=NULL, $join="_", $drop=false) //drop will allow you to drop the pre/postfix { // This actually magically fetches data if($this->result->num_rows <= 0) { error_log("We need one or more results in the result set first."); return false; } if(!$this->result->fetch()) return FALSE; while (list($key, $val) = each($this->bind_arr)) { $ret[$key] = $val; } reset($this->bind_arr); if( is_null($type) || strtoupper($type)=="MYSQLI_NUM" || $type==MYSQLI_NUM) $ret=array_values($ret); if($prefix || $postfix) { if(!$drop) { if($prefix == "MYSQLI_ROW") { $prefix = $this->row; } if($postfix == "MYSQLI_ROW") { $postfix = $this->row; } foreach($ret as $key=>$val) { $ret[(($prefix||$prefix=="0")?$prefix.$join:"").$key.(($postfix||$postfix=="0")?$join.$postfix:"")] = $val; unset($ret[$key]); } } else { foreach($ret as $key=>$val) { $ret[preg_replace('/('.(($prefix||$prefix=="0")?$prefix.$join:"").'|'.(($postfix||$postfix=="0")?$join.$postfix:"").')', '',$key)] = $val; unset($ret[$key]); } } } $this->row++; return $ret; } public function fetch_all($type=NULL, $prefix=NULL, $postfix=NULL, $join=NULL, $drop=false) { if($this->memcache && !empty($this->data)) { $data = $this->data; unset($this->data); return $data; } $tmp = array(); $ret = array(); // It's nice to initilaize arrays if($type==MYSQLI_DOC){ $tmp = $this->fetch_array(MYSQLI_ASSOC,$prefix,$postfix,$join,$drop); array_push($ret, array_keys($tmp), array_values($tmp)); $type=MYSQLI_NUM; } while($tmp = $this->fetch_array($type,$prefix,$postfix,$join,$drop)) { $ret[] = $tmp; } $this->result->free_result(); // Free the original result set (note on change, in mysqli query free is aliased to free_result, always free the result as per the documentation $this->bind_arr = array(); if($this->memcache) { // Store data in cache if its not there yet $timeout = (defined(MEM_TIMEOUT)) ? MEM_TIMEOUT : 3600 ; if(!$memcache->replace($key, serialize($res), $timeout)) { if(!$memcache->add($key, serialize($res),$timeout)) { error_log('Failed to store data in MemCache'); } } } return $ret; } public function get_csv($type=NULL, $prefix=NULL, $postfix=NULL, $join=NULL, $drop=false) { $stream = fopen("php://output", 'w'); if($this->memcache && !empty($this->data)) { $this->arr_csv($this->data, $stream); } else { $tmp=array(); while($tmp = $this->fetch_array($type,$prefix,$postfix,$join,$drop)) { $this->arr_csv($tmp, $stream); } } fclose($stream); } public function arr_csv($data, $stream) { if(!is_array($data) || gettype($stream) != "resource") { return false; } if(is_array($data[0])) { array_walk($data, get_class($this).'::outputCSV', $stream); } else { $this->output_csv($data, null, $stream); } } public function num_rows() { return $this->result->num_rows; } }
  20. WAT? I have no idea what you are asking... I just barely changed your code to not use eval. This is not how i would write this at all most likely...
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.