explain xkcd - User contributions [en]

Talk:1917: How to Make Friends

2017-11-17T08:36:36Z

Pmakholm:

Please clarify: What are "friends"?
[[Special:Contributions/172.68.58.95|172.68.58.95]] 08:18, 17 November 2017 (UTC)

Randall has obviously not read Stu the Cockatoo is New at the Zoo.
[[User:Pmakholm|Pmakholm]] ([[User talk:Pmakholm|talk]]) 08:36, 17 November 2017 (UTC)

Talk:1799: Bad Map Projection: Time Zones

2017-02-15T07:59:40Z

Pmakholm:

"Screw Hawaii and the rest of the Pacific!" [[User:Z|Z]] ([[User talk:Z|talk]]) 04:56, 15 February 2017 (UTC)

It is actually way less distorting than I expected [[Special:Contributions/141.101.104.239|141.101.104.239]] 06:38, 15 February 2017 (UTC)

Aahhhh, why are Suriname and French Guiana switched? They have the same timezone ... [[Special:Contributions/162.158.150.22|162.158.150.22]] 06:52, 15 February 2017 (UTC)

Can anyone explain why Russia has all the hills and valleys? East-west distortion I understand, but what is the reason for the north-south distortion? [[User:Nonnal|Nonnal]] ([[User talk:Nonnal|talk]]) 07:06, 15 February 2017 (UTC)

:I actually know this one - Russia has 11 timezones, but some of these form "islands" in the South of the country. From West to East, the North has: (+2 Kaliningrad), +3, +5, +7,+9, +10, +11, +12. Going West to East through the South adds back in +4 (Samara), +6 (Omsk), and +8 (Irkutsk), each corresponding to one of the "dips" in the projection. [[User:Atmarsden95|Atmarsden95]] ([[User talk:Atmarsden95|talk]]) 07:15, 15 February 2017 (UTC)

Why is Morocco labeled as U.S. and the Sahrawi Republic as Morocco? [[Special:Contributions/141.101.88.88|141.101.88.88]] 07:24, 15 February 2017 (UTC)
:That actually says "W.S", for Western Sahara, but either way I can't see a good reason for the inversion. Both are on UTC+0, and Morocco is on UTC+1 in summer, while WS doesn't use DST, apparently... So even if that was being taken into account, the countries are STILL the wrong way around. Possibly, this is related to the French Guiana/Suriname inversion. [[User:Atmarsden95|Atmarsden95]] ([[User talk:Atmarsden95|talk]]) 07:55, 15 February 2017 (UTC)

:And Western Sahara is the name used for the disputed area south of Marocco by the United Nations. The Sahrawi Republic have only limited recognition and does not control all of the disputed area. [[User:Pmakholm|Pmakholm]] ([[User talk:Pmakholm|talk]]) 07:59, 15 February 2017 (UTC)

It would be cool to see countries moving in and out of Daylight saving time. --[[Special:Contributions/141.101.69.69|141.101.69.69]] 07:56, 15 February 2017 (UTC)

Talk:1700: New Bug

2016-07-01T12:09:27Z

Pmakholm:

''Italic text''

I'm new. For the explanation: A bug, as in a computer (programming) bug, can be reported and tracked, and many systems allow collaboration on the reporting and tracking of problems, or bugs, in code, and their solutions. Cueball reported a problem (bug) he found in the code, which presumably caused the server (program)—which he wrote as part of his project—to try to read the passwords as URLs before storing them. This exposes serious cross-site scripting attacks and other serious security vulnerabilities, and since handling password and user account information usually requires a lot of programming, this would be difficult to fix, which is why the character off-panel suggests burning the project down, as that would be much easier, and would solve any security problems, much more quickly than fixing the bug would. The comment text refers to Cueball's horrid solution to a horrid problem: Instead of solving the problem that is causing the server to read passwords as URLs, he can instead leverage a known problem in the programme which reads URLs which prevents it from reading a particular way of representing text in binary form, by adding a few characters to the user's password that the URL-reading program can't read. This would also "salt" the user's password, which is a security technique that makes passwords harder to figure out when they are stored properly. Cueball thinks this would solve the original problem, and two other problems at the same time, the second problem being the fact that user's passwords aren't salted (a security problem). The third solved problem is difficult to deduce. &emsp;[[User:Zyzygy|Zyzygy]] 05:40, 29 June 2016 (UTC)

: The third bug is the unicode handling, which would need to be solved in order to salt passwords with emoji since these are unicode only character. Although I'm not sure if salting with emoji really increases security since as a rule i'd say nobody uses emoji in their passwords. [[Special:Contributions/162.158.85.123|162.158.85.123]] 06:34, 29 June 2016 (UTC)

::Password: 👍🐎🔋Π [[Special:Contributions/141.101.98.131|141.101.98.131]] 10:11, 29 June 2016 (UTC)
:::That is a really funny password, [[936: Password Strength|but is it strong ennough?]] :-) --[[User:Kynde|Kynde]] ([[User talk:Kynde|talk]]) 20:22, 29 June 2016 (UTC)

:Actually, nobody using emoji in their password would be reason salting with emoji is MORE effective. Salting doesn't really increase security of single password, but it does increase security of whole password database, because you can hash some string - like, [http://www.telegraph.co.uk/technology/2016/01/26/most-common-passwords-revealed---and-theyre-ridiculously-easy-to/ 123456] and check whole database for users having that as password. If every password is salted with different emoji, this strategy will not work, because while you KNOW which emoji is used - the salt is stored unhashed with the password hash - it's always different so you need to compute new hash for every line in password database. Hashing takes MUCH more time than just comparing strings. And how it's even more effective? Because someone might actually get multiple databases and search for entries with same salt, hoping there will be enough of them to be worth it. And salt with emoji likely wouldn't be so common ... -- [[User:Hkmaly|Hkmaly]] ([[User talk:Hkmaly|talk]]) 09:54, 29 June 2016 (UTC)

From 108.162.221.22 (long rant)
:Two comments: first, the explanation on password salting is incorrect. The current version says "Salting passwords increases security by adding random data to the passwords which primarily helps defend against dictionary attacks.". Password salting only protects against particular kinds of (common) attacks in specific situations. Most importantly, it is designed to protect passwords only in the event ofa database breach, when a malicious user has gained direct access to the database itself. Password salting provides no protection when brute force attacks (aka dictionary attacks) are directed at the application itself, as the application automatically takes hashes into account. Instead, proper password salting randomizes the hash for each password, ensuring that if two users have the same password, they will not have the same hash. This makes it much more difficult to guess passwords through attack vectors like lookup tables, reverse lookup tables, and rainbow tables. However, because the salt has to be stored with the password (otherwise the application would not be able to make sense of the hash itself), password salting does not secure passwords against dictionary attacks even in the event that a malicious user has managed to acquire the database itself. I will update the explanation with a brief description of what password salts do.
:Finally, I think there is a big misunderstanding throughout this explanation. In a web services context the "server" (referenced in the comic) is a very different thing than the application that a programmer builds. A server can refer to either the computer itself or the software that is responsible for responding to web requests and executing the actual application. In a professional context, the application (which is what cueball would be building) would never be referred to as the "server". It is possible that this is a mis-use of terminology on the part of cueball or Randall, but I suspect that the term was used properly and intentionally. The reason is because if cueball's application is crashing the *server*, it takes the level of incompetence up to completely new (and unusual) levels, in much the same way that he has done in the past. Normally the programming language used to build the application, the software hosting the application, and the operating system itself have a number of safe guards in place to ensure that if an application misbehaves, the only thing that crashes is the application itself. For cueball's application to break through all those safeguards and crash the server itself (either the operating system or the web server software) would require cueball to have developed a program that operates *well* outside the bounds of normal procedures. Just for reference, as someone who has been building web software for over 15 years, I wouldn't even know where to start to crash the server from within an application. It would probably have to involve either exploiting a previously unknown bug in the programming language or some *very* poorly designed system calls. [[Special:Contributions/108.162.221.22 15:11, 29 June 2016‎ 108.162.221.22]] (Rememeber to sign your comments)

::If you by 'server' means Apache it is not completely unexpected that a sloppy coded extension to Perl or PHP could crash part of the server – and I still maintain mod_perl code that does 'fancy' stuff. I wouldn't be surprised if Cueball still wrote web-application as he did when mod_perl was the hot stuff. Today it is a common setup to have a chain of servers. In the front nginx for SSL termination, maybe an application level firewall filtering out spooky requests, then Varnish for caching and load-balancing and finally the application server running the actual web-application – all layers implementing the HTTP protocol. Which of these are 'the server'? At least it is often easy for the application developer to make the last server in the chain unresponsive (i.e. crashed). [[User:Pmakholm|Pmakholm]] ([[User talk:Pmakholm|talk]]) 12:08, 1 July 2016 (UTC)

Regarding those last two points: sorry for my long unsigned rant. Didn't realize I wasn't logged in. Still haven't figured out how to sign comments. Gonna try it this time. [[User:Cmancone|Cmancone]] ([[User talk:Cmancone|talk]]) 16:51, 29 June 2016 (UTC)--
:You made it ;-) --[[User:Kynde|Kynde]] ([[User talk:Kynde|talk]]) 20:22, 29 June 2016 (UTC)

Explanation says "There is no reason for password handling code to access urls" but that is somewhat wrong -- Password handling code frequently perform heuristics on the password to assess the strength, for example checking if part of the password is a dictionary word -- similar heuristics could be done to check thatthe password is not a URL, such as "xkcd.com" applying DNS and other internet resources as an extention of the concept of "dictionary". [[User:Spongebog|Spongebob]] ([[User talk:Spongebog|talk]]) 16:11, 29 June 2016 (UTC)

:I think http://xkcd.com/correct/horse/battery/staple/ would be a perfectly fine password, even though it is also an URL – but a heuristic that just looks at the length of the password and if it only contains alphanumeric characters would probably be fooled. Trying to detect the scheme used to generate the password could be helpful in choosing a relevant heuristic for deciding the password strength. Ont the other hand, I would consider it very bad to actually test whether the URL is resolvable in any way that leaks information about the password to the outside. [[User:Pmakholm|Pmakholm]] ([[User talk:Pmakholm|talk]]) 11:11, 1 July 2016 (UTC)

Currently the explanation says: "Finally, emoji will often include unicode characters, which means that, if one can effectively salt passwords with emoji, then the passwords should be able to be stored in unicode (although that *probably* doesn't require anything outside the Base Multilingual Plane, so that might not need full unicode support after-all)." I'm fairly convinced that this doesn't make sense and is incorrect. Regardless of what character encoding the password is in, hashing will convert the entire thing into binary. This binary is then typically stored as a base64-encoded string in the database. Ergo, it doesn't matter whether the original password strings were in unicode or not: they will be stored in the database as ascii (or binary), not unicode. I'm going to go ahead and remove this comment from the explanation. I'm pretty certain that there isn't enough information in the comic to figure out why salting passwords with emoji would fix a unicode-handling bug in the URL request library. So I suspect that there is no explanation there: either Cueball is entirely confused and his statement makes no sense, or there is simply not enough information given to help us understand why this solution might fix the problem. However, I'm not going to make any updates to the explanation about this yet, because perhaps I'm missing something someone else will notice. [[User:Cmancone|Cmancone]] 12:50, 29 June 2016 (ETC)
:I suspect that the salting with emoji is to ensure that the password does not resolve as a URL (since the library cannot understand the encoding), and thus the issue of the crash is resolved, the issue of unsalted passwords is solved, and the issue of the unicode handling bug is "solved" by virtue of it now being a feature relied on by the system. [[Special:Contributions/173.245.56.68|173.245.56.68]] 20:50, 29 June 2016 (UTC)

I removed from the explanation the discussion about how Cueball's system might be checking passwords to see if they are resolvable URLs as a check against weak passwords. The problem with this explanation is that if that is where the crash was happening, then salting the password with emoji would not fix the crash. For salting to fix the crash (as Cueball suggests it will) requires that the crash be happening during the hashing process, not during password validation. The reason is because password validation is performed on the original password itself, while only hashing happens on the salted password. So for salting to fix the crash it must be happening during hashing, not validation. If the bug is happening while checking passwords for strength then Cueball's suggestion of fixing it by adding in a salt will not actually fix the crash at all. It could be that Cueball is simply completely wrong about everything, but I think it makes more sense to go with an explanation where the title text didn't just get everything wrong.[[User:Cmancone|Cmancone]] ([[User talk:Cmancone|talk]]) 13:12, 30 June 2016 (UTC)

In the nomenclature I am familiar with mailto:somebody@example.com is a URL. If you accept that mailto (and other protocols) are also URLs some of the description is untrue. Fortunately the untrue bits are also unnecessary and can be deleted or generalized.--[[Special:Contributions/108.162.219.11|108.162.219.11]] 04:51, 1 July 2016 (UTC)
Definitely a sequel to 1084[[Special:Contributions/108.162.221.92|108.162.221.92]] 08:27, 1 July 2016 (UTC)

The explanation of 'Resolveable URL' is very confusing and mostly wrong, it is mixing up technologies like HTTP and DNS and is confusing FQDN's with URLs. Though admittedly, the term 'resolveable URL' is a bit of a misnomer by itself. URLs are typically not resolved, they contain an FQDN that is resolved via DNS to an IP(v6) address and optionally port. The remainder of the URL can be used to identify a resource on that server, but how this is done and signaled is quite application/protocol dependent (and shouldn't be called 'resolving'). So if you hit a 404 the FQDN actually resolved but the HTTP resource could not be found. A non-resolveable URL would give a browser error like 'unknown host'. [[Special:Contributions/162.158.83.198|162.158.83.198]] 09:59, 1 July 2016 (UTC)

Talk:1700: New Bug

2016-07-01T12:08:58Z

Pmakholm:

''Italic text''

I'm new. For the explanation: A bug, as in a computer (programming) bug, can be reported and tracked, and many systems allow collaboration on the reporting and tracking of problems, or bugs, in code, and their solutions. Cueball reported a problem (bug) he found in the code, which presumably caused the server (program)—which he wrote as part of his project—to try to read the passwords as URLs before storing them. This exposes serious cross-site scripting attacks and other serious security vulnerabilities, and since handling password and user account information usually requires a lot of programming, this would be difficult to fix, which is why the character off-panel suggests burning the project down, as that would be much easier, and would solve any security problems, much more quickly than fixing the bug would. The comment text refers to Cueball's horrid solution to a horrid problem: Instead of solving the problem that is causing the server to read passwords as URLs, he can instead leverage a known problem in the programme which reads URLs which prevents it from reading a particular way of representing text in binary form, by adding a few characters to the user's password that the URL-reading program can't read. This would also "salt" the user's password, which is a security technique that makes passwords harder to figure out when they are stored properly. Cueball thinks this would solve the original problem, and two other problems at the same time, the second problem being the fact that user's passwords aren't salted (a security problem). The third solved problem is difficult to deduce. &emsp;[[User:Zyzygy|Zyzygy]] 05:40, 29 June 2016 (UTC)

: The third bug is the unicode handling, which would need to be solved in order to salt passwords with emoji since these are unicode only character. Although I'm not sure if salting with emoji really increases security since as a rule i'd say nobody uses emoji in their passwords. [[Special:Contributions/162.158.85.123|162.158.85.123]] 06:34, 29 June 2016 (UTC)

::Password: 👍🐎🔋Π [[Special:Contributions/141.101.98.131|141.101.98.131]] 10:11, 29 June 2016 (UTC)
:::That is a really funny password, [[936: Password Strength|but is it strong ennough?]] :-) --[[User:Kynde|Kynde]] ([[User talk:Kynde|talk]]) 20:22, 29 June 2016 (UTC)

:Actually, nobody using emoji in their password would be reason salting with emoji is MORE effective. Salting doesn't really increase security of single password, but it does increase security of whole password database, because you can hash some string - like, [http://www.telegraph.co.uk/technology/2016/01/26/most-common-passwords-revealed---and-theyre-ridiculously-easy-to/ 123456] and check whole database for users having that as password. If every password is salted with different emoji, this strategy will not work, because while you KNOW which emoji is used - the salt is stored unhashed with the password hash - it's always different so you need to compute new hash for every line in password database. Hashing takes MUCH more time than just comparing strings. And how it's even more effective? Because someone might actually get multiple databases and search for entries with same salt, hoping there will be enough of them to be worth it. And salt with emoji likely wouldn't be so common ... -- [[User:Hkmaly|Hkmaly]] ([[User talk:Hkmaly|talk]]) 09:54, 29 June 2016 (UTC)

From 108.162.221.22 (long rant)
:Two comments: first, the explanation on password salting is incorrect. The current version says "Salting passwords increases security by adding random data to the passwords which primarily helps defend against dictionary attacks.". Password salting only protects against particular kinds of (common) attacks in specific situations. Most importantly, it is designed to protect passwords only in the event ofa database breach, when a malicious user has gained direct access to the database itself. Password salting provides no protection when brute force attacks (aka dictionary attacks) are directed at the application itself, as the application automatically takes hashes into account. Instead, proper password salting randomizes the hash for each password, ensuring that if two users have the same password, they will not have the same hash. This makes it much more difficult to guess passwords through attack vectors like lookup tables, reverse lookup tables, and rainbow tables. However, because the salt has to be stored with the password (otherwise the application would not be able to make sense of the hash itself), password salting does not secure passwords against dictionary attacks even in the event that a malicious user has managed to acquire the database itself. I will update the explanation with a brief description of what password salts do.
:Finally, I think there is a big misunderstanding throughout this explanation. In a web services context the "server" (referenced in the comic) is a very different thing than the application that a programmer builds. A server can refer to either the computer itself or the software that is responsible for responding to web requests and executing the actual application. In a professional context, the application (which is what cueball would be building) would never be referred to as the "server". It is possible that this is a mis-use of terminology on the part of cueball or Randall, but I suspect that the term was used properly and intentionally. The reason is because if cueball's application is crashing the *server*, it takes the level of incompetence up to completely new (and unusual) levels, in much the same way that he has done in the past. Normally the programming language used to build the application, the software hosting the application, and the operating system itself have a number of safe guards in place to ensure that if an application misbehaves, the only thing that crashes is the application itself. For cueball's application to break through all those safeguards and crash the server itself (either the operating system or the web server software) would require cueball to have developed a program that operates *well* outside the bounds of normal procedures. Just for reference, as someone who has been building web software for over 15 years, I wouldn't even know where to start to crash the server from within an application. It would probably have to involve either exploiting a previously unknown bug in the programming language or some *very* poorly designed system calls. [[Special:Contributions/108.162.221.22 15:11, 29 June 2016‎ 108.162.221.22]] (Rememeber to sign your comments)

:If you by 'server' means Apache it is not completely unexpected that a sloppy coded extension to Perl or PHP could crash part of the server – and I still maintain mod_perl code that does 'fancy' stuff. I wouldn't be surprised if Cueball still wrote web-application as he did when mod_perl was the hot stuff. Today it is a common setup to have a chain of servers. In the front nginx for SSL termination, maybe an application level firewall filtering out spooky requests, then Varnish for caching and load-balancing and finally the application server running the actual web-application – all layers implementing the HTTP protocol. Which of these are 'the server'? At least it is often easy for the application developer to make the last server in the chain unresponsive (i.e. crashed). [[User:Pmakholm|Pmakholm]] ([[User talk:Pmakholm|talk]]) 12:08, 1 July 2016 (UTC)

Regarding those last two points: sorry for my long unsigned rant. Didn't realize I wasn't logged in. Still haven't figured out how to sign comments. Gonna try it this time. [[User:Cmancone|Cmancone]] ([[User talk:Cmancone|talk]]) 16:51, 29 June 2016 (UTC)--
:You made it ;-) --[[User:Kynde|Kynde]] ([[User talk:Kynde|talk]]) 20:22, 29 June 2016 (UTC)

Explanation says "There is no reason for password handling code to access urls" but that is somewhat wrong -- Password handling code frequently perform heuristics on the password to assess the strength, for example checking if part of the password is a dictionary word -- similar heuristics could be done to check thatthe password is not a URL, such as "xkcd.com" applying DNS and other internet resources as an extention of the concept of "dictionary". [[User:Spongebog|Spongebob]] ([[User talk:Spongebog|talk]]) 16:11, 29 June 2016 (UTC)

:I think http://xkcd.com/correct/horse/battery/staple/ would be a perfectly fine password, even though it is also an URL – but a heuristic that just looks at the length of the password and if it only contains alphanumeric characters would probably be fooled. Trying to detect the scheme used to generate the password could be helpful in choosing a relevant heuristic for deciding the password strength. Ont the other hand, I would consider it very bad to actually test whether the URL is resolvable in any way that leaks information about the password to the outside. [[User:Pmakholm|Pmakholm]] ([[User talk:Pmakholm|talk]]) 11:11, 1 July 2016 (UTC)

Currently the explanation says: "Finally, emoji will often include unicode characters, which means that, if one can effectively salt passwords with emoji, then the passwords should be able to be stored in unicode (although that *probably* doesn't require anything outside the Base Multilingual Plane, so that might not need full unicode support after-all)." I'm fairly convinced that this doesn't make sense and is incorrect. Regardless of what character encoding the password is in, hashing will convert the entire thing into binary. This binary is then typically stored as a base64-encoded string in the database. Ergo, it doesn't matter whether the original password strings were in unicode or not: they will be stored in the database as ascii (or binary), not unicode. I'm going to go ahead and remove this comment from the explanation. I'm pretty certain that there isn't enough information in the comic to figure out why salting passwords with emoji would fix a unicode-handling bug in the URL request library. So I suspect that there is no explanation there: either Cueball is entirely confused and his statement makes no sense, or there is simply not enough information given to help us understand why this solution might fix the problem. However, I'm not going to make any updates to the explanation about this yet, because perhaps I'm missing something someone else will notice. [[User:Cmancone|Cmancone]] 12:50, 29 June 2016 (ETC)
:I suspect that the salting with emoji is to ensure that the password does not resolve as a URL (since the library cannot understand the encoding), and thus the issue of the crash is resolved, the issue of unsalted passwords is solved, and the issue of the unicode handling bug is "solved" by virtue of it now being a feature relied on by the system. [[Special:Contributions/173.245.56.68|173.245.56.68]] 20:50, 29 June 2016 (UTC)

I removed from the explanation the discussion about how Cueball's system might be checking passwords to see if they are resolvable URLs as a check against weak passwords. The problem with this explanation is that if that is where the crash was happening, then salting the password with emoji would not fix the crash. For salting to fix the crash (as Cueball suggests it will) requires that the crash be happening during the hashing process, not during password validation. The reason is because password validation is performed on the original password itself, while only hashing happens on the salted password. So for salting to fix the crash it must be happening during hashing, not validation. If the bug is happening while checking passwords for strength then Cueball's suggestion of fixing it by adding in a salt will not actually fix the crash at all. It could be that Cueball is simply completely wrong about everything, but I think it makes more sense to go with an explanation where the title text didn't just get everything wrong.[[User:Cmancone|Cmancone]] ([[User talk:Cmancone|talk]]) 13:12, 30 June 2016 (UTC)

In the nomenclature I am familiar with mailto:somebody@example.com is a URL. If you accept that mailto (and other protocols) are also URLs some of the description is untrue. Fortunately the untrue bits are also unnecessary and can be deleted or generalized.--[[Special:Contributions/108.162.219.11|108.162.219.11]] 04:51, 1 July 2016 (UTC)
Definitely a sequel to 1084[[Special:Contributions/108.162.221.92|108.162.221.92]] 08:27, 1 July 2016 (UTC)

The explanation of 'Resolveable URL' is very confusing and mostly wrong, it is mixing up technologies like HTTP and DNS and is confusing FQDN's with URLs. Though admittedly, the term 'resolveable URL' is a bit of a misnomer by itself. URLs are typically not resolved, they contain an FQDN that is resolved via DNS to an IP(v6) address and optionally port. The remainder of the URL can be used to identify a resource on that server, but how this is done and signaled is quite application/protocol dependent (and shouldn't be called 'resolving'). So if you hit a 404 the FQDN actually resolved but the HTTP resource could not be found. A non-resolveable URL would give a browser error like 'unknown host'. [[Special:Contributions/162.158.83.198|162.158.83.198]] 09:59, 1 July 2016 (UTC)

Talk:1700: New Bug

2016-07-01T11:11:28Z

Pmakholm:

''Italic text''

I'm new. For the explanation: A bug, as in a computer (programming) bug, can be reported and tracked, and many systems allow collaboration on the reporting and tracking of problems, or bugs, in code, and their solutions. Cueball reported a problem (bug) he found in the code, which presumably caused the server (program)—which he wrote as part of his project—to try to read the passwords as URLs before storing them. This exposes serious cross-site scripting attacks and other serious security vulnerabilities, and since handling password and user account information usually requires a lot of programming, this would be difficult to fix, which is why the character off-panel suggests burning the project down, as that would be much easier, and would solve any security problems, much more quickly than fixing the bug would. The comment text refers to Cueball's horrid solution to a horrid problem: Instead of solving the problem that is causing the server to read passwords as URLs, he can instead leverage a known problem in the programme which reads URLs which prevents it from reading a particular way of representing text in binary form, by adding a few characters to the user's password that the URL-reading program can't read. This would also "salt" the user's password, which is a security technique that makes passwords harder to figure out when they are stored properly. Cueball thinks this would solve the original problem, and two other problems at the same time, the second problem being the fact that user's passwords aren't salted (a security problem). The third solved problem is difficult to deduce. &emsp;[[User:Zyzygy|Zyzygy]] 05:40, 29 June 2016 (UTC)

: The third bug is the unicode handling, which would need to be solved in order to salt passwords with emoji since these are unicode only character. Although I'm not sure if salting with emoji really increases security since as a rule i'd say nobody uses emoji in their passwords. [[Special:Contributions/162.158.85.123|162.158.85.123]] 06:34, 29 June 2016 (UTC)

::Password: 👍🐎🔋Π [[Special:Contributions/141.101.98.131|141.101.98.131]] 10:11, 29 June 2016 (UTC)
:::That is a really funny password, [[936: Password Strength|but is it strong ennough?]] :-) --[[User:Kynde|Kynde]] ([[User talk:Kynde|talk]]) 20:22, 29 June 2016 (UTC)

:Actually, nobody using emoji in their password would be reason salting with emoji is MORE effective. Salting doesn't really increase security of single password, but it does increase security of whole password database, because you can hash some string - like, [http://www.telegraph.co.uk/technology/2016/01/26/most-common-passwords-revealed---and-theyre-ridiculously-easy-to/ 123456] and check whole database for users having that as password. If every password is salted with different emoji, this strategy will not work, because while you KNOW which emoji is used - the salt is stored unhashed with the password hash - it's always different so you need to compute new hash for every line in password database. Hashing takes MUCH more time than just comparing strings. And how it's even more effective? Because someone might actually get multiple databases and search for entries with same salt, hoping there will be enough of them to be worth it. And salt with emoji likely wouldn't be so common ... -- [[User:Hkmaly|Hkmaly]] ([[User talk:Hkmaly|talk]]) 09:54, 29 June 2016 (UTC)

From 108.162.221.22 (long rant)
:Two comments: first, the explanation on password salting is incorrect. The current version says "Salting passwords increases security by adding random data to the passwords which primarily helps defend against dictionary attacks.". Password salting only protects against particular kinds of (common) attacks in specific situations. Most importantly, it is designed to protect passwords only in the event ofa database breach, when a malicious user has gained direct access to the database itself. Password salting provides no protection when brute force attacks (aka dictionary attacks) are directed at the application itself, as the application automatically takes hashes into account. Instead, proper password salting randomizes the hash for each password, ensuring that if two users have the same password, they will not have the same hash. This makes it much more difficult to guess passwords through attack vectors like lookup tables, reverse lookup tables, and rainbow tables. However, because the salt has to be stored with the password (otherwise the application would not be able to make sense of the hash itself), password salting does not secure passwords against dictionary attacks even in the event that a malicious user has managed to acquire the database itself. I will update the explanation with a brief description of what password salts do.
:Finally, I think there is a big misunderstanding throughout this explanation. In a web services context the "server" (referenced in the comic) is a very different thing than the application that a programmer builds. A server can refer to either the computer itself or the software that is responsible for responding to web requests and executing the actual application. In a professional context, the application (which is what cueball would be building) would never be referred to as the "server". It is possible that this is a mis-use of terminology on the part of cueball or Randall, but I suspect that the term was used properly and intentionally. The reason is because if cueball's application is crashing the *server*, it takes the level of incompetence up to completely new (and unusual) levels, in much the same way that he has done in the past. Normally the programming language used to build the application, the software hosting the application, and the operating system itself have a number of safe guards in place to ensure that if an application misbehaves, the only thing that crashes is the application itself. For cueball's application to break through all those safeguards and crash the server itself (either the operating system or the web server software) would require cueball to have developed a program that operates *well* outside the bounds of normal procedures. Just for reference, as someone who has been building web software for over 15 years, I wouldn't even know where to start to crash the server from within an application. It would probably have to involve either exploiting a previously unknown bug in the programming language or some *very* poorly designed system calls. [[Special:Contributions/108.162.221.22 15:11, 29 June 2016‎ 108.162.221.22]] (Rememeber to sign your comments)

Regarding those last two points: sorry for my long unsigned rant. Didn't realize I wasn't logged in. Still haven't figured out how to sign comments. Gonna try it this time. [[User:Cmancone|Cmancone]] ([[User talk:Cmancone|talk]]) 16:51, 29 June 2016 (UTC)--
:You made it ;-) --[[User:Kynde|Kynde]] ([[User talk:Kynde|talk]]) 20:22, 29 June 2016 (UTC)

Explanation says "There is no reason for password handling code to access urls" but that is somewhat wrong -- Password handling code frequently perform heuristics on the password to assess the strength, for example checking if part of the password is a dictionary word -- similar heuristics could be done to check thatthe password is not a URL, such as "xkcd.com" applying DNS and other internet resources as an extention of the concept of "dictionary". [[User:Spongebog|Spongebob]] ([[User talk:Spongebog|talk]]) 16:11, 29 June 2016 (UTC)

:I think http://xkcd.com/correct/horse/battery/staple/ would be a perfectly fine password, even though it is also an URL – but a heuristic that just looks at the length of the password and if it only contains alphanumeric characters would probably be fooled. Trying to detect the scheme used to generate the password could be helpful in choosing a relevant heuristic for deciding the password strength. Ont the other hand, I would consider it very bad to actually test whether the URL is resolvable in any way that leaks information about the password to the outside. [[User:Pmakholm|Pmakholm]] ([[User talk:Pmakholm|talk]]) 11:11, 1 July 2016 (UTC)

Currently the explanation says: "Finally, emoji will often include unicode characters, which means that, if one can effectively salt passwords with emoji, then the passwords should be able to be stored in unicode (although that *probably* doesn't require anything outside the Base Multilingual Plane, so that might not need full unicode support after-all)." I'm fairly convinced that this doesn't make sense and is incorrect. Regardless of what character encoding the password is in, hashing will convert the entire thing into binary. This binary is then typically stored as a base64-encoded string in the database. Ergo, it doesn't matter whether the original password strings were in unicode or not: they will be stored in the database as ascii (or binary), not unicode. I'm going to go ahead and remove this comment from the explanation. I'm pretty certain that there isn't enough information in the comic to figure out why salting passwords with emoji would fix a unicode-handling bug in the URL request library. So I suspect that there is no explanation there: either Cueball is entirely confused and his statement makes no sense, or there is simply not enough information given to help us understand why this solution might fix the problem. However, I'm not going to make any updates to the explanation about this yet, because perhaps I'm missing something someone else will notice. [[User:Cmancone|Cmancone]] 12:50, 29 June 2016 (ETC)
:I suspect that the salting with emoji is to ensure that the password does not resolve as a URL (since the library cannot understand the encoding), and thus the issue of the crash is resolved, the issue of unsalted passwords is solved, and the issue of the unicode handling bug is "solved" by virtue of it now being a feature relied on by the system. [[Special:Contributions/173.245.56.68|173.245.56.68]] 20:50, 29 June 2016 (UTC)

I removed from the explanation the discussion about how Cueball's system might be checking passwords to see if they are resolvable URLs as a check against weak passwords. The problem with this explanation is that if that is where the crash was happening, then salting the password with emoji would not fix the crash. For salting to fix the crash (as Cueball suggests it will) requires that the crash be happening during the hashing process, not during password validation. The reason is because password validation is performed on the original password itself, while only hashing happens on the salted password. So for salting to fix the crash it must be happening during hashing, not validation. If the bug is happening while checking passwords for strength then Cueball's suggestion of fixing it by adding in a salt will not actually fix the crash at all. It could be that Cueball is simply completely wrong about everything, but I think it makes more sense to go with an explanation where the title text didn't just get everything wrong.[[User:Cmancone|Cmancone]] ([[User talk:Cmancone|talk]]) 13:12, 30 June 2016 (UTC)

In the nomenclature I am familiar with mailto:somebody@example.com is a URL. If you accept that mailto (and other protocols) are also URLs some of the description is untrue. Fortunately the untrue bits are also unnecessary and can be deleted or generalized.--[[Special:Contributions/108.162.219.11|108.162.219.11]] 04:51, 1 July 2016 (UTC)
Definitely a sequel to 1084[[Special:Contributions/108.162.221.92|108.162.221.92]] 08:27, 1 July 2016 (UTC)

The explanation of 'Resolveable URL' is very confusing and mostly wrong, it is mixing up technologies like HTTP and DNS and is confusing FQDN's with URLs. Though admittedly, the term 'resolveable URL' is a bit of a misnomer by itself. URLs are typically not resolved, they contain an FQDN that is resolved via DNS to an IP(v6) address and optionally port. The remainder of the URL can be used to identify a resource on that server, but how this is done and signaled is quite application/protocol dependent (and shouldn't be called 'resolving'). So if you hit a 404 the FQDN actually resolved but the HTTP resource could not be found. A non-resolveable URL would give a browser error like 'unknown host'. [[Special:Contributions/162.158.83.198|162.158.83.198]] 09:59, 1 July 2016 (UTC)

1354: Heartbleed Explanation

2014-04-11T08:29:22Z

Pmakholm: Short discussion of the usual need to simplify popular explanations for security bugs.

{{comic
| number = 1354
| date = April 11, 2014
| title = Heartbleed Explanation
| image = heartbleed_explanation.png
| titletext = Are you still there, server? It's me, Margaret.
}}

==Explanation==
The {{w|Heartbleed bug}} has received a lot of news coverage recently and was also the topic of the previous comic ([[1353]]). This comic explains how the bug may have been discovered and can be exploited to reveal a server's memory contents. A hypothetical hacker (Meg) sends heartbeat requests to the server, the server responds to the heartbeat request by returning the contents of the body of the request up to the number of letters requested. The first two requests are well formed, requesting exactly the number of characters in the request body. The server is shown "thinking" about Meg's request with many other thoughts going on at the same time, analogous to the internal memory contents of a real web server. The last request sends "HAT" but requests 500 letters, the server - unaware that 500 letters is larger than the request body - returns "HAT" plus 497 letters that happened to be next to the word "HAT" in its memory. Included are many sensitive bits of information, including a master key and user passwords.

Often popular explanations of security bugs requires the issue to be simplified a lot and to leave out a lot of details. But in this case the bug is actually that simple.

The hover text is a reference to ''Are you there God? It's me, Margaret.'' a novel by Judy Bloome.

==Transcript==
:'''How the Heartbleed bug works:'''
:Megan: Server, are you still there? If so, reply "POTATO" (6 letters).
:Server (amongst other thoughts): User Meg wants these 6 letters: POTATO.
:Server: POTATO
:Megan: Server, are you still there? If so, reply "BIRD" (4 letters).
:Server (amongst other thoughts): User Meg wants these 4 letters: BIRD.
:Megan: Hmm...
:Server: BIRD
:Megan: Server, are you still there? If so, reply "HAT" (500 letters).
:Server (amongst other thoughts): User Meg wants these 500 letters: HAT.
:Server: HAT. Lucas requests the "missed connections" page. Eve (administrator) wants to set server's key to "14835038534". Isabel wants pages about "snakes but not too long". User Karen wants to change account password to "CoHoBaSt". User Amber requests pass...
:[Megan is seen writing this down.]

{{comic discussion}}
[[Category:Comics featuring Megan]]
[[Category:Computers]]

1337: Hack

2014-03-03T08:32:06Z

Pmakholm: Clean-up

{{comic
| number = 1337
| date = March 3, 2014
| title = Hack
| image = hack.png
| titletext = HACK THE STARS
}}

==Explanation==
{{incomplete|Created by a BOT - Please change this comment when editing this page.}}

[[wikipedia:ISEE-3/ICE|ISEE-3/ICE]] is a spacecraft launched August 12, 1978. The original mission was to study the interaction between the Earth's magnetic field and the solar wind. It was later sent to visit Comet Giacobini-Zinner and became the first spacecraft to do so by flying through a comet's tail. It's trajectory will bring it close to Earth on August 2014. A status check of the spacecraft has revealed that many of it's instruments are still working and that it contains plenty of fuel. But the hardware to communicate with ISEE-3/ICE has been decommissioned adn it will be expensive to reestablish the communication needed to use the spacecraft for another mission. See also http://www.planetary.org/blogs/emily-lakdawalla/2014/02070836-isee-3.html

The characters Crash and Burn (and also Zero Cool, known for his catchphrase "Mess with the best, die like the rest") are an allusion to the 1995 movie [[wikipedia:Hackers (film)|Hackers]. Since the movie predates the shutdown-signal (1997), the charakters should both posess the skills and 'outdated' equipment to understand and hack the signal to the probe.

==Transcript==
{{incomplete transcript}}

{{comic discussion}}

1337: Hack

2014-03-03T08:28:25Z

Pmakholm: Added basic explanation

{{comic
| number = 1337
| date = March 3, 2014
| title = Hack
| image = hack.png
| titletext = HACK THE STARS
}}

==Explanation==
{{incomplete|Created by a BOT - Please change this comment when editing this page.}}

[[wikipedia:ISEE-3/ICE|ISEE-3/ICE]] is a spacecraft launched August 12, 1978. The original mission was to study the interaction between the Earth's magnetic field and the solar wind. It was later sent to visit Comet Giacobini-Zinner and became the first spacecraft to do so by flying through a comet's tail. It's trajectory will bring it close to Earth on August 2014. A status check of the spacecraft has revealed that many of it's instruments are still working and that it contains plenty of fuel. But the hardware to communicate with ISEE-3/ICE has been decommissioned adn it will be expensive to reestablish the communication needed to use the spacecraft for another mission.

The last 4 panels are a reference to the 1995 movie [[wikipedia:Hackers (film)|Hackers]] where 'Chrash' and 'burn' are the main characters.

Seems to be based on true story -- http://www.planetary.org/blogs/emily-lakdawalla/2014/02070836-isee-3.html

The characters Crash and Burn (and also Zero Cool, known for his catchphrase "Mess with the best, die like the rest") are an allusion to the 1995 movie [http://en.wikipedia.org/wiki/Hackers_(film) ''Hackers'']. Since the movie predates the shutdown-signal (1997), the charakters should both posess the skills and 'outdated' equipment to understand and hack the signal to the probe.

==Transcript==
{{incomplete transcript}}

{{comic discussion}}

Talk:1281: Minifigs

2013-10-23T10:17:27Z

Pmakholm:

This is my first time at trying to explain something. Even if it's replaced by a better one, I hope it gets the point across.

Cheers!

[[Special:Contributions/189.186.138.149|189.186.138.149]] 05:34, 23 October 2013 (UTC)

Related question: what is the current population of Teddy bears? And what about Barbies? -- [[User:Hkmaly|Hkmaly]] ([[User talk:Hkmaly|talk]]) 08:44, 23 October 2013 (UTC)

Then we are just waiting for a Wikipedian to remove the comparison of tires manufactures as Wikipedia is not the place for random facts appearing in XKCD comics. [[User:Pmakholm|Pmakholm]] ([[User talk:Pmakholm|talk]]) 10:17, 23 October 2013 (UTC)

Talk:1277: Ayn Random

2013-10-14T09:33:25Z

Pmakholm:

I think that should be /(\b[plurandy]+\b ?){2}/i.

[[Special:Contributions/173.66.108.213|173.66.108.213]] 05:12, 14 October 2013 (UTC)

I agree. I was confused for a while about what the b's were doing.

[[Special:Contributions/99.126.178.56|99.126.178.56]] 06:57, 14 October 2013 (UTC)

Maybe it's time to have an Ayn Rand category? --[[Special:Contributions/141.89.226.146|141.89.226.146]] 07:34, 14 October 2013 (UTC)

Can someone explain to the mathematically challenged *how* the list of names fits the regular expression? [[Special:Contributions/141.2.75.23|141.2.75.23]] 09:14, 14 October 2013 (UTC)
: Agreed, I would like to understand what the hell is going on with that. --[[User:Zagorath|Zagorath]] ([[User talk:Zagorath|talk]]) 09:20, 14 October 2013 (UTC)
: How specific do you want it? Basically it matches two words consisting of the letters plurandy. The list of names is just a random selection of two part names that only consists of these letters. More specifically it matches: Two groups ({2}), each consisting of a word boundary (\b), followed by a non-empty sequence of the letters plurandy ([pluerandy]+), followed by a word boundary (\b), finally followed by an optional space ( ?). [[User:Pmakholm|Pmakholm]] ([[User talk:Pmakholm|talk]]) 09:33, 14 October 2013 (UTC)

[[Special:Contributions/209.132.186.34|209.132.186.34]] 09:26, 14 October 2013 (UTC)

I do not think Randal would make such mistake, he would probably use \< \> anyway... unless, he wants us
to think he did mistake, or that backslash was eliminated in html/javascript... thus poining ut to
source code of the page... is there something interesting?

1277: Ayn Random

2013-10-14T08:04:13Z

Pmakholm: /* Explanation */

{{comic
| number = 1277
| date = October 14, 2013
| title = Ayn Random
| image = ayn random.png
| titletext = In a cavern deep below the Earth, Ayn Rand, Paul Ryan, Rand Paul, Ann Druyan, Paul Rudd, Alan Alda, and Duran Duran meet togther in the Secret Council of /(b[plurandy]+b ?){2}/i.
}}

==Explanation==
{{incomplete}}

This comic begins with a pun on {{w|Ayn Rand}}, the name of a writer who created a philosophical system known as {{w|Objectivism (Ayn Rand)|Objectivism}}. Objectivists believe that the primary aim of life is to maximise personal happiness. In their view, if some humans are born more capable of satisfying their desires than other people, they deserve to reap greater rewards from life than others. In the comic, White Hat uses a similar line of reason to justify some numbers appearing more often than others in a "random" number generator.

The title text notes identifies a group of people whose names fall under (are within the namespace identified by) the {{w|regular expression}} <code>/(b[plurandy]+b ?){2}/i</code>. (This seems to be a mistake; the correct expression should be <code>/(\b[plurandy]+\b ?){2}/i</code>.)

{| class="wikitable"
|-
! Person !! Brief Description
|-
| {{w|Ayn Rand}} || Author, best know for her novels {{w|The Fountainhead}} and {{w|Atlas Shrugged}}.
|-
| {{w|Paul Ryan}} || US Politician
|-
| {{w|Rand Paul}} || US Politician,
|-
| {{w|Ann Druyan}} || Author
|-
| {{w|Paul Rudd}} || Actor, screenwriter, comedian
|-
| {{w|Alan Alda}} || Actor, best know for the role of Hawkeye Pierce in the TV series M*A*S*H
|-
| {{w|Duran Duran}} || New Wave/Rock band
|}

==Transcript==
:[Cueball sitting at a laptop, White Hat behind him.]
:Cueball: This Ayn Random number generator you wrote ''claims'' to be fair, but the output is biased toward certain numbers.
:White Hat: '''''Well, maybe those numbers are just intrinsically better!'''''

{{comic discussion}}
[[Category:Comics featuring Cueball]]
[[Category:Comics featuring White Hat]]
[[Category:Programming]]
[[Category:Comics featuring real people]]
[[Category:Philosophy]]
[[Category:Math]]

1277: Ayn Random

2013-10-14T08:03:19Z

Pmakholm: Extended description of Ayn Rand

{{comic
| number = 1277
| date = October 14, 2013
| title = Ayn Random
| image = ayn random.png
| titletext = In a cavern deep below the Earth, Ayn Rand, Paul Ryan, Rand Paul, Ann Druyan, Paul Rudd, Alan Alda, and Duran Duran meet togther in the Secret Council of /(b[plurandy]+b ?){2}/i.
}}

==Explanation==
{{incomplete}}

This comic begins with a pun on {{w|Ayn Rand}}, the name of a writer who created a philosophical system known as {{w|Objectivism (Ayn Rand)|Objectivism}}. Objectivists believe that the primary aim of life is to maximise personal happiness. In their view, if some humans are born more capable of satisfying their desires than other people, they deserve to reap greater rewards from life than others. In the comic, White Hat uses a similar line of reason to justify some numbers appearing more often than others in a "random" number generator.

The title text notes identifies a group of people whose names fall under (are within the namespace identified by) the {{w|regular expression}} <code>/(b[plurandy]+b ?){2}/i</code>. (This seems to be a mistake; the correct expression should be <code>/(\b[plurandy]+\b ?){2}/i</code>.)

{| class="wikitable"
|-
! Person !! Brief Description
|-
| {{w|Ayn Rand}} || Author, best know for her novels {{w|The Fountainhead}} and {{w||Atlas Shrugged}}.
|-
| {{w|Paul Ryan}} || US Politician
|-
| {{w|Rand Paul}} || US Politician,
|-
| {{w|Ann Druyan}} || Author
|-
| {{w|Paul Rudd}} || Actor, screenwriter, comedian
|-
| {{w|Alan Alda}} || Actor, best know for the role of Hawkeye Pierce in the TV series M*A*S*H
|-
| {{w|Duran Duran}} || New Wave/Rock band
|}

==Transcript==
:[Cueball sitting at a laptop, White Hat behind him.]
:Cueball: This Ayn Random number generator you wrote ''claims'' to be fair, but the output is biased toward certain numbers.
:White Hat: '''''Well, maybe those numbers are just intrinsically better!'''''

{{comic discussion}}
[[Category:Comics featuring Cueball]]
[[Category:Comics featuring White Hat]]
[[Category:Programming]]
[[Category:Comics featuring real people]]
[[Category:Philosophy]]
[[Category:Math]]

1277: Ayn Random

2013-10-14T08:01:09Z

Pmakholm: /* Explanation */

{{comic
| number = 1277
| date = October 14, 2013
| title = Ayn Random
| image = ayn random.png
| titletext = In a cavern deep below the Earth, Ayn Rand, Paul Ryan, Rand Paul, Ann Druyan, Paul Rudd, Alan Alda, and Duran Duran meet togther in the Secret Council of /(b[plurandy]+b ?){2}/i.
}}

==Explanation==
{{incomplete}}

This comic begins with a pun on {{w|Ayn Rand}}, the name of a writer who created a philosophical system known as {{w|Objectivism (Ayn Rand)|Objectivism}}. Objectivists believe that the primary aim of life is to maximise personal happiness. In their view, if some humans are born more capable of satisfying their desires than other people, they deserve to reap greater rewards from life than others. In the comic, White Hat uses a similar line of reason to justify some numbers appearing more often than others in a "random" number generator.

The title text notes identifies a group of people whose names fall under (are within the namespace identified by) the {{w|regular expression}} <code>/(b[plurandy]+b ?){2}/i</code>. (This seems to be a mistake; the correct expression should be <code>/(\b[plurandy]+\b ?){2}/i</code>.)

{| class="wikitable"
|-
! Person !! Brief Description
|-
| {{w|Ayn Rand}} || Author
|-
| {{w|Paul Ryan}} || US Politician
|-
| {{w|Rand Paul}} || US Politician,
|-
| {{w|Ann Druyan}} || Author
|-
| {{w|Paul Rudd}} || Actor, screenwriter, comedian
|-
| {{w|Alan Alda}} || Actor, best know for the role of Hawkeye Pierce in the TV series M*A*S*H
|-
| {{w|Duran Duran}} || New Wave/Rock band
|}

==Transcript==
:[Cueball sitting at a laptop, White Hat behind him.]
:Cueball: This Ayn Random number generator you wrote ''claims'' to be fair, but the output is biased toward certain numbers.
:White Hat: '''''Well, maybe those numbers are just intrinsically better!'''''

{{comic discussion}}
[[Category:Comics featuring Cueball]]
[[Category:Comics featuring White Hat]]
[[Category:Programming]]
[[Category:Comics featuring real people]]
[[Category:Philosophy]]
[[Category:Math]]

1277: Ayn Random

2013-10-14T07:57:48Z

Pmakholm: /* Explanation */

{{comic
| number = 1277
| date = October 14, 2013
| title = Ayn Random
| image = ayn random.png
| titletext = In a cavern deep below the Earth, Ayn Rand, Paul Ryan, Rand Paul, Ann Druyan, Paul Rudd, Alan Alda, and Duran Duran meet togther in the Secret Council of /(b[plurandy]+b ?){2}/i.
}}

==Explanation==
{{incomplete}}

This comic begins with a pun on {{w|Ayn Rand}}, the name of a writer who created a philosophical system known as {{w|Objectivism (Ayn Rand)|Objectivism}}. Objectivists believe that the primary aim of life is to maximise personal happiness. In their view, if some humans are born more capable of satisfying their desires than other people, they deserve to reap greater rewards from life than others. In the comic, White Hat uses a similar line of reason to justify some numbers appearing more often than others in a "random" number generator.

The title text notes identifies a group of people whose names fall under (are within the namespace identified by) the {{w|regular expression}} <code>/(b[plurandy]+b ?){2}/i</code>. (This seems to be a mistake; the correct expression should be <code>/(\b[plurandy]+\b ?){2}/i</code>.)

{| class="wikitable"
|-
! Person !! Brief Description
|-
| {{w|Ayn Rand}} || Author
|-
| {{w|Paul Ryan}} || US Politician
|-
| {{w|Rand Paul}} || US Politician
|-
| {{w|Ann Druyan}} || Author
|-
| {{w|Paul Rudd}} || Actor, screenwriter, comedian
|-
| {{w|Alan Alda}} || Actor
|-
| {{w|Duran Duran}} || New Wave/Rock band
|}

==Transcript==
:[Cueball sitting at a laptop, White Hat behind him.]
:Cueball: This Ayn Random number generator you wrote ''claims'' to be fair, but the output is biased toward certain numbers.
:White Hat: '''''Well, maybe those numbers are just intrinsically better!'''''

{{comic discussion}}
[[Category:Comics featuring Cueball]]
[[Category:Comics featuring White Hat]]
[[Category:Programming]]
[[Category:Comics featuring real people]]
[[Category:Philosophy]]
[[Category:Math]]

1277: Ayn Random

2013-10-14T07:57:05Z

Pmakholm: Added table with links to persons mentioned in title text

{{comic
| number = 1277
| date = October 14, 2013
| title = Ayn Random
| image = ayn random.png
| titletext = In a cavern deep below the Earth, Ayn Rand, Paul Ryan, Rand Paul, Ann Druyan, Paul Rudd, Alan Alda, and Duran Duran meet togther in the Secret Council of /(b[plurandy]+b ?){2}/i.
}}

==Explanation==
{{incomplete}}

This comic begins with a pun on {{w|Ayn Rand}}, the name of a writer who created a philosophical system known as {{w|Objectivism (Ayn Rand)|Objectivism}}. Objectivists believe that the primary aim of life is to maximise personal happiness. In their view, if some humans are born more capable of satisfying their desires than other people, they deserve to reap greater rewards from life than others. In the comic, White Hat uses a similar line of reason to justify some numbers appearing more often than others in a "random" number generator.

The title text notes identifies a group of people whose names fall under (are within the namespace identified by) the {{w|regular expression}} <code>/(b[plurandy]+b ?){2}/i</code>. (This seems to be a mistake; the correct expression should be <code>/(\b[plurandy]+\b ?){2}/i</code>.)

{| class="wikitable"
|-
! Person !! Brief Description
|-
| {{w|Ayn Rand}} || Author
|-
| {{w|Paul ryan}} || US Politician
|-
| {{w|Rand Paul}} || US Politician
|-
| {{w|Ann Druyan}} || Author
|-
| {{w|Paul Rudd}} || Actor, screenwriter, comedian
|-
| {{w|Alan Alda}} || Actor
|-
| {{w|Duran Duran}} || New Wave/Rock band
|}

==Transcript==
:[Cueball sitting at a laptop, White Hat behind him.]
:Cueball: This Ayn Random number generator you wrote ''claims'' to be fair, but the output is biased toward certain numbers.
:White Hat: '''''Well, maybe those numbers are just intrinsically better!'''''

{{comic discussion}}
[[Category:Comics featuring Cueball]]
[[Category:Comics featuring White Hat]]
[[Category:Programming]]
[[Category:Comics featuring real people]]
[[Category:Philosophy]]
[[Category:Math]]

Talk:1268: Alternate Universe

2013-09-23T08:35:14Z

Pmakholm:

I thought Earth Prime was a reference to Sliders... but Wikipedia says it's been used much more widely. [[User:Saibot84|Saibot84]] ([[User talk:Saibot84|talk]]) 04:40, 23 September 2013 (UTC)

Wait, wait ... only "some of you" change your clocks? In the universe I just came from, MOST of them changed their clocks at unsynchronized times for no good reason anyone has ever been able to demonstrate. Only the Third World along with Hawaii and Saskatchewan were holdouts where I came from.{{unsigned ip|72.68.9.56}}

Neither India nor China are having this obscure idea of occasionally changing their clocks for no obvious reasons. So even "most" might be a bit of a stretch. [[User:Pmakholm|Pmakholm]] ([[User talk:Pmakholm|talk]])

Yeah I think it's a Sliders reference. Randall says he was transported in the late 1990s and Sliders aired from 1995-2000. [[Special:Contributions/184.56.86.168|184.56.86.168]] 06:02, 23 September 2013 (UTC)

They eat spiders in some parts of this world, e.g. Cambodia. [[User:Geevade|Geevade]] ([[User talk:Geevade|talk]]) 06:54, 23 September 2013 (UTC)

Talk:1191: The Past

2013-04-04T12:56:49Z

Pmakholm:

WOW. When I first read the comic, I assumed it was making an analogy to current countries. Like ones that have been invaded because of their oil reserves. When I saw the image-text, my thought was "We can destroy time like we've destroyed these countries." The above explanation makes a lot more sense. [[Special:Contributions/76.106.251.87|76.106.251.87]] 06:17, 27 March 2013 (UTC)
: I don't think there's a distinction. "If history has taught us anything, we can use that information to destroy it". If you destroy the country in the past, then you 'destroy' that timeline of history. (Of course, current consensus seems to be that you'd branch off into a new timeline and both will exist in parallel universes, but nonetheless - to the antagonist - it could well count as a destruction. [[Special:Contributions/220.224.246.97|220.224.246.97]] 08:50, 27 March 2013 (UTC)
::Perhaps, but nothing I was saying was referring to time travel. [[Special:Contributions/76.106.251.87|76.106.251.87]] 00:47, 29 March 2013 (UTC)

The past is a foreign country most probably means his own country. You would not conquer your own country today, but the past is something totally different - it is foreign and ready for exploitation.

Anyone else thinking of time travel? I think BlackHat was planning to get a time-machine (somehow), bring a whole army through and conquer a nation. It's an easier way to become a mighty overlord, ruling over continents and enslaving millions of people. World domination turn out to not impossible after all, aside from the time-travel stuff. [[Special:Contributions/129.59.52.45|129.59.52.45]] 02:43, 28 March 2013 (UTC)

Does this have anything to do with the previous comic (Time) ? I'm guessing (out of the blue) that the next comic will be "The Present", and the next one "The future". [[Special:Contributions/193.239.192.194|193.239.192.194]] 12:43, 28 March 2013 (UTC)

Did anyone think about Iraq? This comic comes quite close to the 10-year anniversary of the war, and the description of the "foreign country" quite resembles what Iraq was at the time.
[[Special:Contributions/88.174.44.135|88.174.44.135]] 19:28, 28 March 2013 (UTC)

:Did anyone NOT think about [[wikipedia:Iraq_War|Iraq]]? I though THAT parallel is so basic it doesn't need to be mentioned ... although mentioning the anniversary probably make sense, this information may be lost when someone will see this page later ... -- [[User:Hkmaly|Hkmaly]] ([[User talk:Hkmaly|talk]]) 12:14, 31 March 2013 (UTC)

:I didn't really think about Iraq, but I did think about [[wikipedia:Merchant_Princes#Merchant_Princes_series|Gruinmarkt]] even though this isn't time travel as such. --[[User:Pmakholm|Pmakholm]] ([[User talk:Pmakholm|talk]]) 12:56, 4 April 2013 (UTC)

Talk:1123: The Universal Label

2012-10-19T08:18:04Z

Pmakholm:

The label's missing energy. Just saying. [[User:Davidy22|Davidy22]] ([[User talk:Davidy22|talk]]) 04:34, 19 October 2012 (UTC)
:But isn't it somehow contained in the hydrogen? I don't know squat about quantum physics, so I'm probably wrong. [[Special:Contributions/108.233.253.211|108.233.253.211]] 04:49, 19 October 2012 (UTC)
----
So when [http://xkcd.com/282/ Mussolini made the trains run on thyme] he was really making them run on hydrogen '''and''' time?--[[User:Pmakholm|Pmakholm]] ([[User talk:Pmakholm|talk]]) 08:18, 19 October 2012 (UTC)

Talk:1122: Electoral Precedent

2012-10-18T16:04:43Z

Pmakholm:

I don't understand what he means by Alternative Tickets in the last frame.
:It does not say 'Alternative', it says {{w|Alliterative}}, meaning that both names starts with the same sound/letter. '''R'''omney/'''R'''yan --[[User:Pmakholm|Pmakholm]] ([[User talk:Pmakholm|talk]]) 16:04, 18 October 2012 (UTC)
----
My research tells me that Jefferson won 1800. Error on Randall's part? [[User:Davidy22|Davidy22]] ([[User talk:Davidy22|talk]]) 08:52, 17 October 2012 (UTC)

I'm a bit confused by 1792 vs. 1804: The latter is "No incumbent has beaten a challenger", but didn't Washington face any challenger when he was re-elected in 1792? [[User:Jolindbe|Jolindbe]] ([[User talk:Jolindbe|talk]]) 14:19, 17 October 2012 (UTC)
: {{w|United_States_presidential_election,_1792|He ran unopposed}} --[[User:Buggz|Buggz]] ([[User talk:Buggz|talk]]) 14:33, 17 October 2012 (UTC)
:: As far as I understand it, he had four opponents, but got all the votes. Then, the electoral college voted on whom to be the vice president among the remaining candidates. But it seems unlikely to get 100% of the popular votes, do I misinterpret the wiki page? [[User:Jolindbe|Jolindbe]] ([[User talk:Jolindbe|talk]]) 17:45, 17 October 2012 (UTC)
:::Well, back then, the electoral college didn't take their votes from the people. They just decided, so they decided to give Washington the presidency. [[Special:Contributions/140.247.0.79|140.247.0.79]] 18:55, 17 October 2012 (UTC)

----
"1904: No one under 45 has become president. ... Roosevelt did."

Sort of. {{w|Theodore Roosevelt}} (Oct 1858–1919) was under 45 when he ''became'' president, in 1901. But by the time of the ''1904'' election he was 46.
<br/>[[Special:Contributions/75.36.234.236|75.36.234.236]] 18:48, 17 October 2012 (UTC)
:Correct. Theodore Roosevelt was the youngest President to date, but Kennedy was the youngest yet ''elected''. [[Special:Contributions/67.51.59.66|67.51.59.66]] 20:09, 17 October 2012 (UTC)

The image needs to be updated. I'm not sure how to do that myself. [[Special:Contributions/76.122.5.96|76.122.5.96]] 23:56, 17 October 2012 (UTC)

Uploaded corrected image, changed tense on comments. Reload/refresh to check the 1800 frame should now show Jefferson... --[[User:Bpothier|B. P.]] ([[User talk:Bpothier|talk]]) 01:36, 18 October 2012 (UTC)

And how can people be from Virginia AND Massachusett? I think he meant OR.[[Special:Contributions/77.245.46.86|77.245.46.86]] 11:39, 18 October 2012 (UTC)

==Errors==
Should the errors be included in the article explanation, or should they just be discussed here in the chat box? I'm of the opinion that anything that doesn't go towards explaining the comic should go here in the discussion. I would lean towards keeping error nitpicking confined to the discussion page. [[User:Davidy22|Davidy22]] ([[User talk:Davidy22|talk]]) 13:19, 18 October 2012 (UTC)

Talk:1107: Sports Cheat Sheet

2012-09-12T18:17:16Z

Pmakholm:

Thanks to whoever added the hockey mention ("no love" in the comic, for sure). Maybe the comic needs another column for Canada, where hockey can be argued about year-round. (Yes, it's an exaggeration for comic effect.) As for the rest of the world, or at least ex-Commonwealth and neighboring countries (e.g. Australia, India, New Zealand), what about rugby and cricket? --'''BigMal27''' (no account) / [[Special:Contributions/192.136.15.177|192.136.15.177]] 15:29, 12 September 2012 (UTC)
:Forgot to mention that these sports don't have to be professional in nature. I know of plenty US collegiate arguments in both football (e.g. Michigan vs. Notre Dame or Michigan State or Ohio State) and basketball (everyone vs. everyone during the NCAA tournament a.k.a. "March Madness" (TM)). --'''BigMal27''' / [[Special:Contributions/192.136.15.177|192.136.15.177]] 17:33, 12 September 2012 (UTC)

The problem with the suggestion in the mouse over text is that everyone would have the same opinion on the same day! A better idea would be to have an App which selects from two or more oposing opinions and feed you a random one each day. (Personally being 'European' I'd prefer it to be more like the US! Sooo fed up with football discussions.) Steve B
:Then you run into the problem of two people who rely in that app falling into a sports discussion with each other rather than something else. If I were to find someone expressing the same canned opinion that I have from the twitter feed, at least I can say "who cares about sports, let's talk about something important: vi or emacs?". The twitter feed is best for someone who wants to fake sports knowledge to fit in. [[User:Blaisepascal|Blaisepascal]] ([[User talk:Blaisepascal|talk]]) 16:12, 12 September 2012 (UTC)
:The idea behind the twitter feed is to give people who really isn't interested in sport (aka. nerds) the opportunity to interact with so called normal people. It is just a variation on the http://bluffball.co.uk/ site refered to by [http://www.youtube.com/watch?v=NKHyqjHqQLU#t=32s an The IT Crowd episode]. Two users of the twitter feed would have more important subjects to discuss (like for example vi vs. emacs) [[User:Pmakholm|Pmakholm]] ([[User talk:Pmakholm|talk]]) 18:12, 12 September 2012 (UTC)

What is with the sports bent that Randall is on? Two sports comics in three weeks? Has this happened before? [[User:Lcarsos|lcarsos]] ([[User talk:Lcarsos|talk]]) 15:36, 12 September 2012 (UTC)

Talk:1107: Sports Cheat Sheet

2012-09-12T18:12:44Z

Pmakholm:

Thanks to whoever added the hockey mention ("no love" in the comic, for sure). Maybe the comic needs another column for Canada, where hockey can be argued about year-round. (Yes, it's an exaggeration for comic effect.) As for the rest of the world, or at least ex-Commonwealth and neighboring countries (e.g. Australia, India, New Zealand), what about rugby and cricket? --'''BigMal27''' (no account) / [[Special:Contributions/192.136.15.177|192.136.15.177]] 15:29, 12 September 2012 (UTC)
:Forgot to mention that these sports don't have to be professional in nature. I know of plenty US collegiate arguments in both football (e.g. Michigan vs. Notre Dame or Michigan State or Ohio State) and basketball (everyone vs. everyone during the NCAA tournament a.k.a. "March Madness" (TM)). --'''BigMal27''' / [[Special:Contributions/192.136.15.177|192.136.15.177]] 17:33, 12 September 2012 (UTC)

The problem with the suggestion in the mouse over text is that everyone would have the same opinion on the same day! A better idea would be to have an App which selects from two or more oposing opinions and feed you a random one each day. (Personally being 'European' I'd prefer it to be more like the US! Sooo fed up with football discussions.) Steve B
:Then you run into the problem of two people who rely in that app falling into a sports discussion with each other rather than something else. If I were to find someone expressing the same canned opinion that I have from the twitter feed, at least I can say "who cares about sports, let's talk about something important: vi or emacs?". The twitter feed is best for someone who wants to fake sports knowledge to fit in. [[User:Blaisepascal|Blaisepascal]] ([[User talk:Blaisepascal|talk]]) 16:12, 12 September 2012 (UTC)
:The idea behind the twitter feed is to give people who really isn't interested in sport (aka. nerds) the opportunity to interact with so called normal people. It is just a variation on the http://bluffball.co.uk/ site refered to by [http://www.youtube.com/watch?v=NKHyqjHqQLU#t=86s an The IT Crowd episode]. Two users of the twitter feed would have more important subjects to discuss (like for example vi vs. emacs) [[User:Pmakholm|Pmakholm]] ([[User talk:Pmakholm|talk]]) 18:12, 12 September 2012 (UTC)

What is with the sports bent that Randall is on? Two sports comics in three weeks? Has this happened before? [[User:Lcarsos|lcarsos]] ([[User talk:Lcarsos|talk]]) 15:36, 12 September 2012 (UTC)