HackerTrans
TopNewTrendsCommentsPastAskShowJobs

alipitch

no profile record

comments

alipitch
·3 years ago·discuss
I often visit news sites such as Hacker News. Can I use this "multi-account container" addon + something to get an experience like "iPhone Screen Time" and track my viewing time on news sites?
alipitch
·4 years ago·discuss
Which did method supports rotation?

  did:key Not Supported
  did:web ???
Do only Proof-of-work methods (e.g. blockchains) support rotation?

  did:ion
Are there no did method based on keybase like tech?

https://www.w3.org/TR/2022/REC-did-core-20220719/#verificati...

  9.7 Verification Method Rotation
  Not all DID methods support verification method rotation.
https://github.com/w3c-ccg/did-method-key/blob/f511ed730f7d2...

  The did:key Method v0.7
  5.1 Key Rotation Not Supported
  This section is non-normative.
https://github.com/w3c-ccg/did-method-web/blob/1b4225ffd9be0...

  ???
https://lists.w3.org/Archives/Public/public-new-work/2021Sep...

   * Proof-of-work methods (e.g. blockchains) are harmful for sustainability
  (s12y).
alipitch
·4 years ago·discuss
I found a page by Duo Labs listing Noise in Production.

https://duo.com/labs/tech-notes/noise-protocol-framework-int...

  Noise is used today in several high-profile projects:
    WhatsApp uses the "Noise Pipes" construction from the specification to perform encryption of client-server communications
    WireGuard, a modern VPN, uses the Noise IK pattern to establish encrypted channels between clients
    Slack's Nebula project, an overlay networking tool, uses Noise
    The Lightning Network uses Noise
    I2P uses Noise
alipitch
·4 years ago·discuss
What are real world implementations of the Noise Protocol? https://github.com/noiseprotocol/noise_spec/blob/v34/noise.m...

Quick search shows WireGuard protocol, but I am not sure if how much of the WireGuard protocol is the same as the Noise Protocol.

https://www.wireguard.com/formal-verification/ https://www.wireguard.com/papers/wireguard-formal-verificati...

  The WireGuard protocol is extensively detailed in [2], which itself is based on the NoiseIK [3] handshake.
alipitch
·4 years ago·discuss
For those who are not familiar with the term DRL in "SOC2 DRL line item", it is document request list (DRL).
alipitch
·4 years ago·discuss
Thanks. Going through the docs now.

https://www.vaultproject.io/docs/concepts/seal#shamir-seals

  Shamir seals
  The default Vault config uses a Shamir seal. Instead of distributing the unseal key as a single key to an operator, Vault uses an algorithm known as Shamir's Secret Sharing to split the key into shards.
alipitch
·4 years ago·discuss
Good guide to shell in general.

Google shell style guide [0] was also a good read. I thought that the "When to use Shell" section is a section that is good for any kind of guide, not just for bash / shell.

Also, maybe not so much a pitfall / bug, but something I had to deal with recently was that bash does not handle the EINTR when calling write() in the printf and echo builtins [1][2][3], etc.

[0] https://google.github.io/styleguide/shellguide.html#s1.2-whe...

  If you are writing a script that is more than 100 lines long, or that uses non-straightforward control flow logic, you should rewrite it in a more structured language now. Bear in mind that scripts grow. Rewrite your script early to avoid a more time-consuming rewrite at a later date.
[1] https://unix.stackexchange.com/a/487260

  handle the EINTR when calling write() in the printf and echo builtins. 
[2] https://github.com/torvalds/linux/blob/ca1fdab7fd27eb069df13...

  Q: what's up with this '/bin/echo' ?

  A: bash's builtin 'echo' command does not check calls to write() against
   errors. If you use it in the cgroup file system, you won't be
   able to tell whether a command succeeded or failed.
[3] https://lists.gnu.org/archive/html/bug-bash/2018-01/msg00031...

  write() not retried after EINTR in printf and echo
alipitch
·4 years ago·discuss
Thanks! Also checked the github site. https://github.com/evildmp/diataxis-documentation-framework
alipitch
·4 years ago·discuss
"Strict Identifier Verification" look kind of like CWE-304.

CWE-304: Missing Critical Step in Authentication <https://cwe.mitre.org/data/definitions/304.html>

Looking at the CWE-304 wording, this does not look like the right CWE, but OWASP ASVP 2.2.2 points to this CWE.

OWASP ASVP 2.2.2 <https://github.com/OWASP/ASVS/blob/v4.0.3_release/4.0/en/0x1...>

  2.2.2
  Verify that the use of weak authenticators (such as SMS and email) is limited to secondary verification and transaction approval and not as a replacement for more secure authentication methods. Verify that stronger methods are offered before weak methods, users are aware of the risks, or that proper measures are in place to limit the risks of account compromise.
  CWE-304
alipitch
·4 years ago·discuss
For all five classes of attacks, the paper states that the root cause & mitigation is "Strict Identifier Verification".

  6.2 Root Cause & Mitigation
  6.2.1 Strict Identifier Verification
  The root cause of all of the attacks identified in the preceding sections is failure to verify ownership of the claimed identifier.
alipitch
·4 years ago·discuss
possibly CWE-306?

CWE-306: Missing Authentication for Critical Function <https://cwe.mitre.org/data/definitions/306.html>

Looking at the CWE-306 wording, this does not look like the right CWE, but OWASP ASVP 3.7.1 points to this CWE.

OWASP ASVP 3.7.1 <https://github.com/OWASP/ASVS/blob/v4.0.3_release/4.0/en/0x1...>

  3.7.1
  Verify the application ensures a full, valid login session or requires re-authentication or secondary verification before allowing any sensitive transactions or account modifications.
  CWE-306
alipitch
·4 years ago·discuss
- Unexpired Email Change (UE)
alipitch
·4 years ago·discuss
What would the CWEs be for the five classes of attacks?

- Classic-Federated Merge (CFM)

- Unexpired Session (US)

- Trojan Identifier (TID)

- Unexpired Email Change (UE)

- Non-verifying IdP (NV)
alipitch
·4 years ago·discuss
When using the shale gem, how would you avoid the mass assignment problem? Is there a configuration, or a way of using the shale gem to avoid it?

CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes <https://cwe.mitre.org/data/definitions/915.html> (Ruby on Rails Mass assignment bug)