Wikipedia:Reference desk/Archives/Computing/2011 November 27

Computing desk
< November 26	<< Oct | November | Dec >>	November 28 >

Welcome to the Wikipedia Computing Reference Desk Archives
The page you are currently viewing is an archive page. While you can leave answers for any questions shown below, please ask new questions on one of the current reference desk pages.

November 27

HTML code for inuktitut short u (ᐅ)

What is the HTML code (for example η for η,, what gives you "ᐅ"? Best–η-θ 01:52, 27 November 2011 (UTC)

You can just use 'ᐅ' if you send the proper encoding via your server headers. ¦ Reisio (talk) 02:12, 27 November 2011 (UTC)

What is the HTML code? –η-θ 02:16, 27 November 2011 (UTC)

The number for ᐅ is 1405 in hexadecimal. See http://www.unicode.org/charts/PDF/U1400.pdf.

—Wavelength (talk) 02:24, 27 November 2011 (UTC)

The hexadecimal code ᐅ produces ᐅ.

—Wavelength (talk) 21:44, 27 November 2011 (UTC)

A story title written in code

Hey, I'm writing a story, and I wanted the title to be a string of computing language. Specifically, a single line of code that could represent a virus or other harmful effect to a computer. (Since this is what the story is about.) I'd appreciate if the code somehow still resembled a real word or couple of words. I don't mean exactly (I doubt any code could perfectly make a word) but just so its possible to still say the title.

Any language will work or anything, I'm not really a coder so I don't know anything about that sort of thing. Just a writer.

This is kinda an odd request, and I'm not sure how well I stated my request. If you have any questions or want clarification, ask and I'll answer. Thanks. 68.111.165.176 (talk) 07:54, 27 November 2011 (UTC)

Not sure if this helps, but a common trick along these lines that you sometimes see used in blog article titles is the C increment operator, which is two plusses in a row. Basically you take a word that reprisents something you want more of and put two plusses before or after.

So some potential titles might be

Viruses++

++Murder

Greed++

You get the idea.

(You notice they even used this trick to name the successor to C.)

Two minuses do the opposite, of course, but they don't look as cool.

Hope this helps. APL (talk) 09:07, 27 November 2011 (UTC)

other good code-like constructions might be "Murder[The_President]" (There are lots of murders, but this book is about the president's ) or "Murder.Victim" (There are many aspects of this murder, but this book is about the victim.)

Or, just make up a regular title, but use underscores instead of spaces. Or make a math equation in the title. APL (talk) 09:16, 27 November 2011 (UTC)

There's also the kill command in Unix-like systems... so maybe something like kill -s President? --Ouro (blah blah) 09:34, 27 November 2011 (UTC)

Some shell commands whose names might be useful: kill (see above), unset, rm, del, erase. One could approximate an OOP function calling with something like: Johnny.kill();. Really you could use any function name there (even murder();), as they can be defined arbitrarily by the programmer. If you put it after the "object" it's acting on, with the parens and the semicolon, most people with even a smattering of programming will recognize it as a function. --Mr.98 (talk) 15:16, 27 November 2011 (UTC)

My suggestion is rm -rf /, which in Unix systems is a command to delete the entire file system on your computer. Looie496 (talk) 17:53, 27 November 2011 (UTC)

T-Rex has a suggestion. Paul (Stansifer) 20:04, 27 November 2011 (UTC)

But the downside of rm -rf / is that it will only be understood by the few percent who use the systems it works in. A command like kill or erase is, in addition to its function, also a plainly understandable word. And that might be good marketing-wise. --Ouro (blah blah) 20:27, 27 November 2011 (UTC)

Ps. That's a terrific one, Paul! --Ouro (blah blah) 20:30, 27 November 2011 (UTC)

Yes, The Simpsons have a similarly low opinion of the prospective audience for such material - in "They Saved Lisa's Brain" Comic Book Guy wears his C:/DOS C:/DOS/RUN RUN/DOS/RUN T-shirt, of which Lisa says "only one person in a million would find that funny." -- Finlay McWalterჷTalk 21:09, 27 November 2011 (UTC)

Maybe...

 10 ACQUIRE && INFECT {TARGET}
 20 GOTO 10

...is a lot easier for a wider audience to understand. Astronaut (talk) 17:25, 28 November 2011 (UTC)

What about:[(seek_out)destroy] It's an example of how a method and it's accompanying object would be written out in Objective-C. — Preceding unsigned comment added by Denting5 (talk • contribs) 00:54, 29 November 2011 (UTC)

These are all really good! I'll have to think for a while about exactly which of these suggestions I'll use, but they're all very helpful. Thanks! 128.111.86.51 (talk) 18:00, 29 November 2011 (UTC)

I'm partial to :(){ :|:& };: but it is kind of unpronounceable. ~Alison C. (Crazytales) 17:32, 30 November 2011 (UTC)

LOL. (For clarification, that's a fork bomb - it defines a shell function that starts two copies of itself, and then runs it.) 194.100.223.164 (talk) 08:57, 1 December 2011 (UTC)

HTML/Javascript list sorting

I have a webpage ( http://www.stocton.org/geocache.htm ) which lists geocaches I have hidden sorted in two ways, by date of hiding and by family. At present I maintain two separate lists and hide one / show the other to achieve the effect I want. There are also other sort orders that would be nice (eg date of most recent find, date of maintenance...). If I add these I would only want to maintain one list and have javascript sort and reformat the page appropriately. This is harder than just sorting a ul or ol list as I want to break the list up with intermediate headings (eg family type or year of hiding or ...). All the sort info could easily be hidden in parameters in the li fields etc, but could someone provide / point to a page on how to achieve this please. -- SGBailey (talk) 09:51, 27 November 2011 (UTC)

It's easiest if you start with the data in a javascript array, which you sort by whichever field you want:

//      date          location    description
d = [ [ "2011-11-02", "Arsia",    "Under a big rock" ],
      [ "2011-06-10", "Pavonis",  "Down a crack" ],
      [ "2011-09-22", "Ascraeus", "On a hilltop" ]
    ];

d.sort(function(a,b){return a[0]>b[0]});
print ("by date, ascending:");
for(rec in d) print(d[rec]);

d.sort(function(a,b){return a[1]>b[1]});
print("by location, ascending:");
for(rec in d) print(d[rec]);

d.sort(function(a,b){return a[2]>b[2]});
print("by description, ascending:");
for(rec in d) print(d[rec]);

In a webpage context, instead of print you'd generate html content and add it into the document with document.write or by manipulating an element's innerHTML -- Finlay McWalterჷTalk 11:56, 27 November 2011 (UTC)

Will mull on that. Thanks. -- SGBailey (talk) 01:12, 28 November 2011 (UTC)

Folder Disappeared - Win7

Resolved

This is odd - I have two folders on my desktop with currently active work in them. Both folders were there last night when I went to sleep. I left my computer on, as it was doing its usual virus checking, etc., and when I awoke this morning, one of the folders has disappeared. I know it has nothing to do with the virus check, as the computer performs this every day, and this folder has been there for weeks (plus, there was nothing in the folder last night). I've done a search for the folder in question, but can find nothing. OK, there is nothing in it, so I could just make a new one, but I am concerned that important folders like this are just disappearing, and would like to find out where it is, and why/how it got there, so I can prevent this sort of thing in the future. Does anyone have any ideas? KägeTorä - (影虎) (TALK) 12:14, 27 November 2011 (UTC)

EDIT - I have found the culprit. ASC v5 is deleting all my empty folders. KägeTorä - (影虎) (TALK) 12:19, 27 November 2011 (UTC)

Theory: Skyrim's Creation Engine is the Gamebryo Engine.

Mainstream gaming media apparently wont admit this. Journalism is dead so they just take Todd Howard's press releases and print it as fact and news. I believe anyone who is intelligent about game design and programming can obviously see that Skyrim's engine is possibly updated but is not in any way a fully rewritten engine from the ground up as claimed.

The same technical limitations and bugs exist from previous games using the Gamebryo engine. Also features that have become standard on modern engines since Gamebryo was first programed are strangely absent from Skyrim.

It's my understanding that Skyrim uses the same file format, the same directory structure as the previous games/engine. This alone doesnt prove anything but it's my hope that when the Creation Kit (Modification Tools) are released I can explore the game content better and locate ties to the past.

Is Skyrim using the Gamebryo engine and if so how can we prove it? --184.175.1.120 (talk) 16:52, 27 November 2011 (UTC)

Judging by this, it's not a secret that Skyrim's engine is based on Gamebryo. Whether a set of changes is enough to justify calling it a "full rewrite" is a marketing issue. In any event, when you're rewriting code, things like file formats and directory structures are important for backwards compatibility, so it's not a surprise that they didn't get changed, regardless of whatever else happened in the engine. Paul (Stansifer) 00:08, 28 November 2011 (UTC)

Indeed our own article has said as much since 16 November [1]. I guess the OP didn't bother to check it out despite linking to it. Nil Einne (talk) 17:36, 28 November 2011 (UTC)

Seagate GoFlex cable for desktop eSATA

Dear Wikipedians:

Where can I find Seagate GoFlex cable adapter for desktop eSATA port?

There is one here:

http://www.amazon.com/Seagate-FreeAgent-GoFlex-Upgrade-Powered/dp/B003IT6PH2

however, it uses the eSATAp port found on notebook computers, not the eSATA port found on desktop computers.

Thanks,

174.88.35.172 (talk) 17:43, 27 November 2011 (UTC)

That esata port on laptops is a combined esata/usb port. This cable apparently needs usb for power (because ordinary sata/esata does not provides power). If it would not need power, it would work with any esata port, either laptop or desktop.

If you want to power the end device through this one cable, there will be no special cables, that would fork for this purpose with desktop esata port. -Yyy (talk) 08:03, 30 November 2011 (UTC)

Hashing IP addresses

Hey all. I'm hoping to write a simple polling script and have turned my attention to its security. Ideally I would like to stop both accidentally and deliberate oting multiple times, but stopping the former is the priority. I am limited by the fact that I do not wish to leave any cookies, etc, on the voters' computers, nor store their IP addresses if I can avoid it. At the moment, I'm thinking that my best bet is a temporary storage of (hashed) IP addresses as a form of rate limiting. Are there any better ways to achieve my goals with those limitations in place? And does hashing actually achieve anything since IP-address-space is so small? Thanks, - Jarry1250 ^{[Weasel? Discuss.]} 18:15, 27 November 2011 (UTC)

One point of clarity: who are you trying to protect the data from? E.g. is it a situation where you're trying to keep yourself from being able to see it, or another server admin who might be using the script, or a hacker who has potentially gotten ahold of the data? Because the answer will change some of the response. If you're only worried about hackers, for example, adding a salt probably fixes the problem. If you're worried about sysadmins, then it's a much harder problem — especially since it would be pretty trivial for a sysadmin to just remove whatever obfuscation you're doing. If it were me I'd probably just salt and hash and not worry about it. That's going to stop the external misuse. You can't really stop the internal misuse. --Mr.98 (talk) 18:52, 27 November 2011 (UTC)

If Jarry is only keeping the hashed IPs (and nothing analogous to a username) then the salt would have to be the same for each IP (so it's much less useful that salting a password database, where one can have a different salt per user and recover the salt by looking up the username). So that would protect against a pre-made rainbow table, but not a freshly computed one. And Jarry's suspicion is correct - the IPV4 space is much too small. A little throw-away Python script on my aging Pentium D can SHA-1 hash the entire IPV4 space in a little over 2 hours (and a better hash function won't help, because the small input space remains the same). If Jarry can have a different salt per user, that's 2 hours per user (but surely much less with an optimished hash engine on a modern system). I don't see the point. -- Finlay McWalterჷTalk 19:48, 27 November 2011 (UTC)

Just a technical note: It would be two hours per user if you knew what the salt was. In my opinion, salting is over-rated. If you add a salt to an open-source program, you've wasted your time. Anyone can look at the code and see what the salt is and add that to the rainbow table. It creates a false sense of security. If you add a salt to a closed-source program, you hope that nobody has a dissembler and nobody can read assembly. Hell, I've seen dissemblers that convert all the way to C. So, even then, it is a false sense of security. You are only protecting yourself from script kiddies, not hackers. For this particular application, I suggest a hash that includes what you can get, such as IP address and browser info. It means that using a different browser lets you have a second vote. But, using IP address means that if one person in an office votes, all others behind the same router won't get to vote. On the Internet, it is not possible to ensure one person = one vote. -- kainaw™ 21:51, 27 November 2011 (UTC)

The IPv4 space is only 32 bits which is much too small. However if you incorporate other information, like browser user agents, OS, screen size, etc., all of which is available from the request (or in logs) you could have presumably a much larger input space. It's not perfect because the inputs are predictable, but it'd help. You could also use a very computationally intensive hash, or iterate it thousands of times. It would be relatively inexpensive for your server but harder for an attacker. This is what PBKDF2 does. Ramp it up a few thousand times over and you can buy whatever level of security you want.
I disagree with Kainaw about salting. There's not just one salt per program: there's a different salt value for every user. This is why pre-computed attacks won't work unless you know the unique salt, or you're trying every salt in the database. Shadowjams (talk) 22:58, 27 November 2011 (UTC)

I didn't claim there is one salt per program. I claimed there is one salt algorithm per program. For example, you write a program and use the first 2 letters of a person's last name as the salt. So, I grab your database and try to unhash the passwords. I'm not stupid enough to try every possible salt. I try the first to letters of the person's last name because I looked at your code and saw that is what you did. The salt doesn't help. I get back something like "SmMySuperDuperPassword01" for John Smith. I already knew it began with Sm. There is a very lengthy explanation of this false sense of security in the libPurple statement about not adding encryption to an open-source program. -- kainaw™ 23:15, 27 November 2011 (UTC)

Finlay pointed out above that the salt value in this program wouldn't be a traditional salt. You could make it traditional but then you'd have to check every previous salt value to see look for a duplicate. But in the traditional sense a salt does two things for you. It 1) prevents a precomputed hash table, 2) makes identical values have different hashes. These both enhance security. As Ben says, the salt is not supposed to be secret. Maybe you're describing something different? Shadowjams (talk) 01:05, 28 November 2011 (UTC)

I also wonder what libpurple statement Kainaw is referring to. Are they referring to [2] which comes from [3]? From [4], I can't help thinking they are (hopefully this isn't considered outing, I found it from a search for 'libpurple encryption' not anything to do with searching for kainaw). If so, while libPurple have some good points on the limited usefulness of trying to obscure passwords which need to be retrieved in original form, this seems of limited relevance here. (This isn't new to libpurple either, I mean heck I seem to recall fooling around with password recovery for dialup connections or email programs back in 1996 or so and I was fairly late in to the game. And it's fairly obvious if you need to be able to recover the original password there's no real way you can stop an attacker from doing so, again I seem to recall having the same thoughts when I was in my early mid teens and I don't program or claim to be very smart.)

As I mentioned quite a few days ago, the database leaks from anonymous attacks have illustrated the problems with unsalted passwords. Sure, a dedicated attacker could brute force some of those passwords. But when such leaks happens it means any person and their cat or dog can just look up any number of publicly accessible rainbow tables and recover quite a few of the original passwords if it's in them. (Actually I believe anonymous kindly did that for us.) And if the person used the same password for a number of sites, bad security practice perhaps but rather common, suddenly they find a lot of accounts compromised. Worse if they used the same password for their email. And besides, it's not like even dedicated attackers aren't happy when they can rely on a rainbow table.

Of course if your salt is fairly weak, like the 2 alphabetical characters example Kainaw mentioned then rainbow tables with the salt included may be feasible. Our article mentions almost the same thing in reference to a 12 bit salt. But that doesn't mean all salts are worthless, anymore then say the weakness of 56 bit DES means encryption is worthless. It just means you need a better salt like a 128 bit random salt I believe some *nix implementation use. And re-evaluate whether that's likely to be enough for say the next 5-10 years every so often.

Nil Einne (talk) 18:25, 28 November 2011 (UTC)

No outing, really. If you see a "Kainaw" on the Internet, it is likely me. Who else would use such a stupid username? If, however, the Kainaw is question is discussing something such as a barely-legal fascination with hedgehogs, I steadfastly claim it is not me.

I was attempting to point out that if the salt algorithm is known, the salt is known per user. That is by design. As pointed out by others, the salt is supposed to be known. But, I didn't think everyone got that concept.

Then, on a different point, I wanted to demonstrate that the usefulness of a salted hash is limited. A rainbow table will allow a script-kiddie to unhash passwords in volume if they are not salted (I thought I said that above). Adding a salt means that you have to unhash each password with a unique salt separate from the other hashes. Is that feasible? John the Cracker does it nicely. I ran it on a salted table of usernames and passwords at a security conference about five years ago. I asked for, and was given, SSH access to the student ssh/web server for the university - and I want to be very vague about which one. I used a simple symbolic link trick to get the shadow password file, which I showed to the crowd after ensuring that it was fixed by the system admins. Then, during the talk, I ran john on the shadow file. It kept popping up passwords, one after another after another, throughout the talk. I had well over 5,000 passwords unhashed from a salted password file during a 20-minute talk. (I then wrote a script to email each student who used dumb passwords like "password" and tell them to change it.) So, from situations like that, I feel it important to note that salting is a good practice. It is not a form of ensuring absolute security. -- kainaw™ 18:49, 28 November 2011 (UTC)

Well I think the key point is no one here is denying you can still brute force salted weak passwords easily, or that salts are not a form of absolute security. Indeed I believe there were at least some cases in the anonymous attacks were the passwords were salted but made available because they were weak. However your original comments where you said stuff like 'If you add a salt to an open-source program, you've wasted your time' seem to suggest there is often little point to a salt rather then as you now note 'that salting is a good practice' which as Shadowjams has said does have some distict advantages when well implemented. (This isn't exactly my field but I believe for local passwords Key stretching should also be considered to make things more difficult for an attacker.)

Also I think the 'script-kiddies' bit masks the problem, sure script kiddies are one of the concerns, but as I've said salting also makes things more difficult for more dedicated attackers. I don't know if you consider yourself a script kiddie, and I believe public rainbow tables were smaller and less easily available 5 years ago but how many passwords could you have found during the 20 minute talk if you had for example a MD5 rainbow table of password hashes and the password was stored in such a form [5]? Of course it will depend on factors like how fast the device/s storing the rainbow table is. If you have a 1TB+ of rainbow table, it may take longer then 20 minutes to search the entire table against a resonably large database even if you have a SSD capable of saturating a single 3 Gbit/s SATA port (although I'm not sure how rainbow tables are searched). For a single test, you may want to add the time it takes to download or obtain or generate the tables but you do it regularly then this doesn't make much sense. P.S. I used anonymous loosely to include 'groups' like LulzSec.

To put things a different way, if your rainbow table takes 2 hours to generate, then salting may not be that much of an advantage. If it takes 1 year with an optimised program on a high end GPU, then salting may be well be an advantage (although obviously still no guarantee).

Nil Einne (talk) 14:05, 29 November 2011 (UTC)

A password salt is always stored in the clear whether the program is open-source or not. It's not secret, or supposed to be. Read the article. -- BenRG (talk) 23:45, 27 November 2011 (UTC)

Thanks all for your comments. I can't seem to protect against the very determined, so I won't both: I'll apply a simple hash to lend an iotum of security - I could have thrown in browser, etc, but I'd rather not allow double voting from different PCs (even at the expense of offices only getting one vote). I'll then delete all IPs after the results have been published. Thanks! - Jarry1250 ^{[Weasel? Discuss.]} 16:56, 28 November 2011 (UTC)

SSL verification

a. is there a way to encrypt with ssl without getting a lincese and without a notice to the user that there is illegal ssl(I mean in webpages)? b.if a man in the middle will watch the whole communication of the computers, will it be able to get the keys and unencrypt it? Exx8 (talk) 21:18, 27 November 2011 (UTC)

For the first question, if you manually install the certificate on both computers, you won't get a warning. But, if you want to make an SSL page for the general public that doesn't throw a warning, you must get a real SSL certificate, not a self-signed one. For the second question, yes. A man in the middle can get information that can be decrypted - but it will take a very long time (decades, not hours). I know, the official claim is that it will take trillions of years, but that is based on computers circa 1995. So, I assume that quantum-super number-crunching computers will come around along with some new number factoring algorithm and cut it from 20 trillion years to 20 years. Still, it is too long to do anything useful. Finally, I want to note that your description of what the man in the middle will do is not what a man in the middle attack is all about. A man in the middle will pretend to be the server to the client and pretend to be the client to the server. He will block traffic between the two, not just copy it. -- kainaw™ 21:45, 27 November 2011 (UTC)

Quantum computers break SSL completely, not because they're fast but because efficient quantum algorithms for breaking SSL encryption are known. Non-quantum computers are never going to be fast enough to break SSL by currently known approaches. A semi-efficient algorithm that breaks SSL in 20 years might be found next year, I might win the lottery next year, and a flu epidemic might wipe out half of the human race next year, but these are not useful things to say in a ref desk reply. -- BenRG (talk) 23:40, 27 November 2011 (UTC)

A simplified form of SSL works like this: the server sends an RSA public key to the client. The client generates a random AES key, encrypts it with the RSA key, and sends it back. The server decrypts it, and then later communication is encrypted using AES with that key.

A passive eavesdropper, who doesn't alter any of the data, can't spy on this. This is what you seem to mean by "man in the middle". An active eavesdropper can spy on it by intercepting the public key en route and substituting a different one for which he has the corresponding private key. This is what's usually called "man in the middle". The SSL certificate signing system exists to prevent this attack. You can't use an "unlicensed" certificate without a warning because, for all the client knows, you might be the man in the middle. If there were a way to avoid the warning (without being blocked or caught) then attackers would use that method and the whole system would be pointless.

According to Comparison of SSL certificates for web servers, there's at least one CA trusted by all major browsers that will issue certificates for free, if that's any help. -- BenRG (talk) 23:40, 27 November 2011 (UTC)

matplotlib colorbar

I'm trying to plot a series of polygons in python using matplotlib where each polygon gets a color based on data value. For example a minimal code:

import numpy as np
import matplotlib as m
import matplotlib.pyplot as plt

data=np.random.rand(5)

cm = plt.get_cmap('jet_r')

for i in range(5):
    x=np.random.rand(4)
    y=np.random.rand(4)
    plt.fill(x,y,color=cm(data[i]))
plt.show()

But if a drop a

 plt.colorbar()

before the plt.show() i get

 
Traceback (most recent call last):
  File "/home/Rob/code/colorbar.py", line 21, in <module>
    plt.colorbar()
  File "/usr/lib64/python2.7/site-packages/matplotlib/pyplot.py", line 1519, in colorbar
    ret = gcf().colorbar(mappable, cax = cax, ax=ax, **kw)
  File "/usr/lib64/python2.7/site-packages/matplotlib/figure.py", line 1104, in colorbar
    cb = cbar.Colorbar(cax, mappable, **kw)
  File "/usr/lib64/python2.7/site-packages/matplotlib/colorbar.py", line 706, in __init__
    mappable.autoscale_None() # Ensure mappable.norm.vmin, vmax
AttributeError: 'NoneType' object has no attribute 'autoscale_None'

Now i think i need pass something to colorbar() to tell it what the axes and scale is but i'm not sure what, as all the example i can find on the 'net seem to use imshow or pcolor rather than fill. What can i do to get a colorbar? Thanks for any help--2.102.129.237 (talk) 23:26, 27 November 2011 (UTC)

The default for colorbar() is to use the current "image" (internally a ScalarMappable); you don't have one yet, apparently. Perhaps the color-bar call goes after the show, so that there is an image? --Tardis (talk) 16:23, 2 December 2011 (UTC)