I really don't miss VB6

[dandymcgee]

Was browsing StackOverflow to see if the CLR has a decent generic sorted list implementation, and got a good chuckle from this heavily downvoted (yet inarguably creative) proposal:

http://stackoverflow.com/a/196615/770230

Like I said: I really don't miss VB6.

[K-Bal]

That is hilarious in a horrible way.

[bbguimaraes]

This reminds me of that software (can't remember which one) that, instead of generating a random number locally, made a http request to some website. And it was worse, because they didn't check for errors, so one day the website went down (or changed the api, or something) and now all clients had the same seed: the error message. I think that was the most shameful vulnerability I've ever head of. Does anyone remember what I was?

[dandymcgee]

This reminds me of that software (can't remember which one) that, instead of generating a random number locally, made a http request to some website. And it was worse, because they didn't check for errors, so one day the website went down (or changed the api, or something) and now all clients had the same seed: the error message. I think that was the most shameful vulnerability I've ever head of. Does anyone remember what I was?

Lmao, never heard of that. That's a *gaping* security hole. It's so easy to proxy that request to MITM... Hopefully it wasn't used for anything important.

[bbguimaraes]

Lmao, never heard of that. That's a *gaping* security hole. It's so easy to proxy that request to MITM... Hopefully it wasn't used for anything important.

Just spent half an hour heavily searching my brain/the internet, here it is. I recommend reading the entire article. When they say "a comedy of programming errors", they really mean it:

The most serious of the flaws is the use of the unencrypted HTTP connections when the app's cryptographic engine contacts random.org to obtain random numbers used to generate private keys for Bitcoin addresses. Since January, random.org has required the use of the more secure HTTPS protocol and has returned a 301 Moved Permanently response when accessed through HTTP. As a result, vulnerable installations of Blockchain for Android generated the private key corresponding to the address 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F, regardless of the address specified by the user.

And that's what protected the bitcoin wallets of users.

[dandymcgee]

Lmao, never heard of that. That's a *gaping* security hole. It's so easy to proxy that request to MITM... Hopefully it wasn't used for anything important.

Just spent half an hour heavily searching my brain/the internet, here it is. I recommend reading the entire article. When they say "a comedy of programming errors", they really mean it:

The most serious of the flaws is the use of the unencrypted HTTP connections when the app's cryptographic engine contacts random.org to obtain random numbers used to generate private keys for Bitcoin addresses. Since January, random.org has required the use of the more secure HTTPS protocol and has returned a 301 Moved Permanently response when accessed through HTTP. As a result, vulnerable installations of Blockchain for Android generated the private key corresponding to the address 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F, regardless of the address specified by the user.

And that's what protected the bitcoin wallets of users.

Why did I know it was going to be random.org before you even posted this..? Rofl.