## Securely distributing passwords and salts that will be derived by client programs

I am creating a client-server architecture running on top of the KCP protocol in Go. The package for KCP that I’m using is KCP-Go (https://github.com/xtaci/kcp-go). The package supports packet-level encryption and FEC. To use the packet-level encryption feature, I need to generate an AES key. Following the latest OWASP recommendations for securely storing passwords and keys, this is what I’ve done thus far:

• I have generated a 64-byte password and salt.
• I pass that to PBKDF2, using (600000 * num_cpus) rounds, and requesting a 32-byte key.

Now I am wondering how to exactly securely distribute this key. At this time, I start up another TCP server and allow clients to connect. When they do, I send them the password, salt, number of iterations, and checksum hashes for those three to ensure they’re not tampered with, and allow the client to perform key derivation. My question is: Is this method of distribution actually secure, or should I find some other way (i.e. using public keys)? If there is a more secure method to allow clients and the server to communicate, what should I do instead? I should note that when clients and servers send messages to one another a hash of the message is included along with the message to allow clients to verify the messages validity (I’m using SHAKE256). The hash funciton used during key derivation is BLAKE2B (though I have thought about using Argon2).

## Distributing library which internally using COM library

I would like to create a dll library that will be loading in runtime. The library’ll be using internally COM objects with MTA flag. The library will be created in main thread.

So I have question: Where there is best place where can I call ‘CoInitializeEx’ and ‘CoUninitialize’ functions. In the my dll(init/deinit functions) or client should call directly these functions?

I prefer first option. I would like avoid public dependig on COMs. Client shouldn’t know I’m using COMs, but also I’d like avoid crashes when client unload my lib(then I call ‘CoUninitialize’ for my lib) and other libs(depend on COM) will be in undefined state.

## Why is it not sufficient for the PKI to stop distributing a certificate after it becomes invalid?

Is it because a DC shows the associations between public keys and identities can be implemented by the PKI?

## Distributing and collecting information for a plot

I am preparing to run a larger plot via a MUSH that will involve several scenes but the players between the scenes might change, so not everybody will have the same information when joining scenes. This also means that not everybody is present for all scenes, and not everybody missing a scene will be bothered to read the logs. On the other hand, some players have characters that reasonably can and will gather extra information in the time between scenes.

I am willing to distribute this extra information to players asking for them and write up primer for scenes so people can be brought basically up to speed, but I am worried that the information distributed to the asking players is not brought into the RP by the players but lost.

How can I encourage the more proactive players to distribute those pieces of informations to the other involved players?

## Distributing 3-BSD code under the Apache license v2 only

Alice and Bob write a piece of source code (call it Source1) and publish it under the 3-BSD license. Later, Bob and Charlie are working on a software project, licensed under AL2 (Apache License v2). Bob wants to add Source1 to the new project’s source (with/without modifications).

So far, this is possible and easy – Source1 be introduced and distributed under 3-BSD while the project as a whole and the non-Source1 part of the code in particular are distributed under AL2; no problem.

However, for various reasons which we shall not go into, all code in the new project must be distributed under AL2. Every file, every function, everything.

What can Bob do so as to be able to meet this condition (other than not use Source1)?

Bonus question: Same scenario, except Source1 has not actually been published; it has just been decided and set in writing that it may be published under the terms of the 3-BSD license. Does this change things?

## Lazily Distributing Elements on a Fixed 2D Matrix

I’m trying to create a small game as part of a programming exercise, and was trying to devise a way to lazily create a 2D map for the player while they traverse it, finding resources.

Players are given: – An M x N grid to traverse. They are aware of the values of M and N. – The grid has K resources to find, each at least D squares away from the next nearest resource. The player knows K, but not the coordinates of the resources. – The player can perform the following actions: – Move (up, left, right, down) – Search current tile for resource – Resources remaining (K minus the resources already fount) – Resource spacing (Value of D, constant for all resources)

Players are given 100 “random” maps to traverse given the above rules, and must create a client to automatically traverse the grid while my server application provides the grids and metadata to the clients. (Note: I also have to make an efficient client as a demonstration)

Originally I considered using Lloyd’s relaxation on a Voronoi diagram to space out K resources on the MxN grid, but it’s a bit computationally expensive, along the lines of O(kMN). I was looking at other iterative ways to place K elements closer to O(N) when I wondered if it would be possible to lazily place elements only when players performed the Search action.

My idea was along the lines of, when player searches, roll a random number for the density (remaining k / unexplored M * N) to determine if a resource is present. If it is, track the coordinates of that resource, and surrounding coordinates D which cannot have other resources.

The issue is adjusting the probability of the Search action as the player goes to ensure that all K items wind up on the fixed M x N grid. If M and N were mutable it would be easy to just make the grid bigger until we fit all K items, but we unfortunately don’t have such luck. 🙂

If anyone has any good ideas for how to dynamically adjust the probability to ensure the player can always find all K items on the MxN grid, please let me know! I’ve been mathing it out a little and Googling around to no avail.

At worst, I can generate maps ahead of time and store them for the players to traverse, but that can become costly to store for extremely large grids.

Thanks!

## Distributing C# Dlls to Customers on Application Install

I am currently working on a software library that will be used to develop Class Libraries.

1. These class libraries can be run by our application running on the user’s machine

2. The application uses the same dlls that the customer uses to develop their library. The user code expects objects of certain types that are provided by the application when it is running.

3. A project template will be available to customers with the appropriate references for developing their library

I considered installing the dlls into the GAC on the customer’s machine. This way I could have a post build event on development machines that would use gacutil to install the dlls when they are built. The application code under development would reference the dlls in the GAC as opposed to the dlls in other projects on the machine. This would more closely represent a User’s machine when a dev is debugging. One problem here is the requirement of admin privileges for running gacutil.

I also considered just requiring the User projects (created from our templates) to reference the dlls from the location of the installed application since the dll dependencies are there ANYWAY for use by the application. What I’m not sure about is how references get resolved on a user machine vs a development machine since a development machine will not necessarily run the application from the same place as the user (it may just be running out of the build output directory)

Any suggestions about what approach I should take? I’ve read up on using assemblies in the GAC and creating project templates but I haven’t found much that describes how to deploy this setup to users (while also not creating too many headaches when developing).

## Number of ways of distributing 6 objects to 6 persons

I had some doubt regarding below problem.

The number of ways of distributing 6 objects to 6 persons such that at least one of them does not get anything.

I worked like

Without restriction total ways= $$7^6$$

Number of cases in which all persons get something=$$6!$$

Number of cases where at least one person does not get anything=$$7^6-6!$$

Am I correct?

Also if the probability is asked for at least one person don’t get any object then should it be equal to $$\frac{7^6-6!}{7^6}$$?