HackerTrans
TopNewTrendsCommentsPastAskShowJobs

alipitch

no profile record

comments

alipitch
·قبل 3 سنوات·discuss
I often visit news sites such as Hacker News. Can I use this "multi-account container" addon + something to get an experience like "iPhone Screen Time" and track my viewing time on news sites?
alipitch
·قبل 4 سنوات·discuss
Which did method supports rotation?

  did:key Not Supported
  did:web ???
Do only Proof-of-work methods (e.g. blockchains) support rotation?

  did:ion
Are there no did method based on keybase like tech?

https://www.w3.org/TR/2022/REC-did-core-20220719/#verificati...

  9.7 Verification Method Rotation
  Not all DID methods support verification method rotation.
https://github.com/w3c-ccg/did-method-key/blob/f511ed730f7d2...

  The did:key Method v0.7
  5.1 Key Rotation Not Supported
  This section is non-normative.
https://github.com/w3c-ccg/did-method-web/blob/1b4225ffd9be0...

  ???
https://lists.w3.org/Archives/Public/public-new-work/2021Sep...

   * Proof-of-work methods (e.g. blockchains) are harmful for sustainability
  (s12y).
alipitch
·قبل 4 سنوات·discuss
I found a page by Duo Labs listing Noise in Production.

https://duo.com/labs/tech-notes/noise-protocol-framework-int...

  Noise is used today in several high-profile projects:
    WhatsApp uses the "Noise Pipes" construction from the specification to perform encryption of client-server communications
    WireGuard, a modern VPN, uses the Noise IK pattern to establish encrypted channels between clients
    Slack's Nebula project, an overlay networking tool, uses Noise
    The Lightning Network uses Noise
    I2P uses Noise
alipitch
·قبل 4 سنوات·discuss
What are real world implementations of the Noise Protocol? https://github.com/noiseprotocol/noise_spec/blob/v34/noise.m...

Quick search shows WireGuard protocol, but I am not sure if how much of the WireGuard protocol is the same as the Noise Protocol.

https://www.wireguard.com/formal-verification/ https://www.wireguard.com/papers/wireguard-formal-verificati...

  The WireGuard protocol is extensively detailed in [2], which itself is based on the NoiseIK [3] handshake.
alipitch
·قبل 4 سنوات·discuss
For those who are not familiar with the term DRL in "SOC2 DRL line item", it is document request list (DRL).
alipitch
·قبل 4 سنوات·discuss
Thanks. Going through the docs now.

https://www.vaultproject.io/docs/concepts/seal#shamir-seals

  Shamir seals
  The default Vault config uses a Shamir seal. Instead of distributing the unseal key as a single key to an operator, Vault uses an algorithm known as Shamir's Secret Sharing to split the key into shards.
alipitch
·قبل 4 سنوات·discuss
Good guide to shell in general.

Google shell style guide [0] was also a good read. I thought that the "When to use Shell" section is a section that is good for any kind of guide, not just for bash / shell.

Also, maybe not so much a pitfall / bug, but something I had to deal with recently was that bash does not handle the EINTR when calling write() in the printf and echo builtins [1][2][3], etc.

[0] https://google.github.io/styleguide/shellguide.html#s1.2-whe...

  If you are writing a script that is more than 100 lines long, or that uses non-straightforward control flow logic, you should rewrite it in a more structured language now. Bear in mind that scripts grow. Rewrite your script early to avoid a more time-consuming rewrite at a later date.
[1] https://unix.stackexchange.com/a/487260

  handle the EINTR when calling write() in the printf and echo builtins. 
[2] https://github.com/torvalds/linux/blob/ca1fdab7fd27eb069df13...

  Q: what's up with this '/bin/echo' ?

  A: bash's builtin 'echo' command does not check calls to write() against
   errors. If you use it in the cgroup file system, you won't be
   able to tell whether a command succeeded or failed.
[3] https://lists.gnu.org/archive/html/bug-bash/2018-01/msg00031...

  write() not retried after EINTR in printf and echo
alipitch
·قبل 4 سنوات·discuss
Thanks! Also checked the github site. https://github.com/evildmp/diataxis-documentation-framework
alipitch
·قبل 4 سنوات·discuss
"Strict Identifier Verification" look kind of like CWE-304.

CWE-304: Missing Critical Step in Authentication <https://cwe.mitre.org/data/definitions/304.html>

Looking at the CWE-304 wording, this does not look like the right CWE, but OWASP ASVP 2.2.2 points to this CWE.

OWASP ASVP 2.2.2 <https://github.com/OWASP/ASVS/blob/v4.0.3_release/4.0/en/0x1...>

  2.2.2
  Verify that the use of weak authenticators (such as SMS and email) is limited to secondary verification and transaction approval and not as a replacement for more secure authentication methods. Verify that stronger methods are offered before weak methods, users are aware of the risks, or that proper measures are in place to limit the risks of account compromise.
  CWE-304
alipitch
·قبل 4 سنوات·discuss
For all five classes of attacks, the paper states that the root cause & mitigation is "Strict Identifier Verification".

  6.2 Root Cause & Mitigation
  6.2.1 Strict Identifier Verification
  The root cause of all of the attacks identified in the preceding sections is failure to verify ownership of the claimed identifier.
alipitch
·قبل 4 سنوات·discuss
possibly CWE-306?

CWE-306: Missing Authentication for Critical Function <https://cwe.mitre.org/data/definitions/306.html>

Looking at the CWE-306 wording, this does not look like the right CWE, but OWASP ASVP 3.7.1 points to this CWE.

OWASP ASVP 3.7.1 <https://github.com/OWASP/ASVS/blob/v4.0.3_release/4.0/en/0x1...>

  3.7.1
  Verify the application ensures a full, valid login session or requires re-authentication or secondary verification before allowing any sensitive transactions or account modifications.
  CWE-306
alipitch
·قبل 4 سنوات·discuss
- Unexpired Email Change (UE)
alipitch
·قبل 4 سنوات·discuss
What would the CWEs be for the five classes of attacks?

- Classic-Federated Merge (CFM)

- Unexpired Session (US)

- Trojan Identifier (TID)

- Unexpired Email Change (UE)

- Non-verifying IdP (NV)
alipitch
·قبل 4 سنوات·discuss
When using the shale gem, how would you avoid the mass assignment problem? Is there a configuration, or a way of using the shale gem to avoid it?

CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes <https://cwe.mitre.org/data/definitions/915.html> (Ruby on Rails Mass assignment bug)
alipitch
·قبل 4 سنوات·discuss
Also to understand the problem correctly, what is the class of weakness of the two CVEs (CVE-2022-22965, CVE-2010-1622)?

The following look like good candidates.

- CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes <https://cwe.mitre.org/data/definitions/915.html> (Ruby on Rails Mass assignment bug)

- CWE-502: Deserialization of Untrusted Data <https://cwe.mitre.org/data/definitions/502.html>

- CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') <https://cwe.mitre.org/data/definitions/470.html>

I think the one assigned (CWE-20:) is not a good approach to dealing with the "class" of weaknesses.

- CWE-20: Improper Input Validation <https://cwe.mitre.org/data/definitions/20.html>

As long as you see this as a "CWE-20: Improper Input Validation" class problem, it seems like you try to fix this with a deny-list approach or a partial allow-list approach that needs additional fixing some time in the future.
alipitch
·قبل 4 سنوات·discuss
Are there any data binding libraries (deserialization, marshaling, pickling libraries) that do not have the class of weaknesses as the two CVEs (CVE-2022-22965, CVE-2010-1622)?

My understanding is as follows.

- Spring uses WebDataBinder [0]. -> CVEs: CVE-2022-22965 (Spring4Shell), CVE-2010-1622 -> CVE Fixes: First deny-list approach (2010), then partial allow-list approach (2022)

- Struts uses OGNL. -> CVEs: CVE-2017-5638 (Equifax breach), and others -> CVE Fixes: deny-list approach (-2017-)

If there are any for Java, can they be used with Spring Boot (Spring Framework)? Maybe there are some for in another programming language?

[0] https://docs.spring.io/spring-framework/docs/current/javadoc... > Special DataBinder for data binding from web request parameters to JavaBean objects.
alipitch
·قبل 4 سنوات·discuss
Are there any data binding libraries (deserialization, marshaling, pickling libraries) that do not have the class of weaknesses as the two CVEs (CVE-2022-22965, CVE-2010-1622)?

If there are any for Java, can they be used with Spring Boot (Spring Framework)? Maybe there are some for in another programming language?
alipitch
·قبل 4 سنوات·discuss
> Complexity : When interviewing candidates the most common answer to "any pitfalls to Spring?" is that it has a steep learning curve. Whether or not that's true is another discussion for another day,

This article was from 2014, and not about CVE-2022-22965 (Spring4Shell) nor CVE-2010-1622. However, the "Complexity" point makes me think about SerDes (Serializer/Deserializer) libraries.

Are there any data binding libraries (deserialization, marshaling, pickling libraries) that do not have the class of weaknesses as the two CVEs (CWEs)? If there are any for Java, can they be used with Spring Boot (Spring Framework)? Maybe there are some for in another programming language?
alipitch
·قبل 4 سنوات·discuss
Slightly off-topic digression:

Would WAS compilation help solve the ruby / rails timeout problem?

https://devcenter.heroku.com/articles/h12-request-timeout-in... > H12 - Request Timeout in Ruby (MRI) > Rack-timeout limitations > Due to the design of the Ruby programming language’s Thread#raise API, which timing out code depends on, there is a known bug with rack-timeout that can put your app into a bad state if rack-timeout fires too frequently.

(Other related URLs) https://github.com/ankane/the-ultimate-guide-to-ruby-timeout... https://headius.blogspot.com/2008/02/rubys-threadraise-threa... https://www.schneems.com/2017/02/21/the-oldest-bug-in-ruby-w...
alipitch
·قبل 4 سنوات·discuss
Slightly off-topic digression: This article discussed "enterprise" grade "silent data corruptions".

What are some recommendations for "personal data storage" grade "silent data corruptions"?

"personal data storage" for my case is < 1TB, text / binary files (jpg, mp4).

I am looking at a wikipedia list below, and then searching through hn comments.

<https://en.wikipedia.org/wiki/Comparison_of_file_systems#Blo...> column: Data checksum/ ECC

I found many comments on ZFS, and not so much comments on dm-integrity, BlueStore/Cephfs, and others. So I am thinking of looking into ZFS, but if there are any recommendations, I would like to seek advice.

I am experimenting with Git LFS, git-annex, I like the filesystem UI better, so I am looking for filesystem like solutions.