HackerLangs
TopNewTrendsCommentsPastAskShowJobs

vvanpo

159 karmajoined 8 anni fa

Submissions

Integrity of a Shared Filesystem

uncultu.red
1 points·by vvanpo·5 mesi fa·0 comments

comments

vvanpo
·3 ore fa·discuss
They don't stop you from seeing the stars, but I find them very distracting. Makes the experience of looking up at the stars on a quiet night less peaceful, I find.
vvanpo
·4 ore fa·discuss
How many applications actually do, though? At most places I've worked it's common to integrate a schema migration tool (flyway, liquibase) that requires DDL, and I've never seen anyone go to the effort of splitting out an ephemeral instance to run the migration with a separate database connection configuration.
vvanpo
·4 ore fa·discuss
Building an application that is immune to attack defeats all possible attack scenarios, yes. But no application is perfect or immune to all possible attacks, the concept of defense-in-depth is an acknowledgement of this.
vvanpo
·4 ore fa·discuss
As explained in the article this wouldn't work, because changing your org means your stored hash is no longer valid (as the org is incorporated in the hmac), and you can't generated your own hashes because you're missing the pepper. So after changing your org all subsequent requests would fail.
vvanpo
·5 ore fa·discuss
A pepper is just a salt that is "secret", i.e. not stored next to the hashes being salted. It indeed provides the desired defense-in-depth, in that a breach of the database does not allow spoofing requests to the application; a successful attack would require both an exploit giving database access as well as an exploit exposing the secret pepper. But this is just a result of splitting state across multiple data stores---you could theoretically split data across n databases which would require an attacker to find n exploits. As such I don't fully agree with their conclusion that "database state alone should not be able to grant authentication": just because you store application-wide secrets elsewhere doesn't mean it's not part of the application state, and isn't stored in a database.

For most monolithic applications I think the whole issue is be a bit moot; if the rest of the application state is in the primary database, then an attacker with database access could presumably accomplish anything without the need to spoof another user at the authentication layer.

Lastly, this scheme doesn't provide any mechanism for rotating the pepper.
vvanpo
·4 mesi fa·discuss
It sounds like there is a story here, have you written about this somewhere?
vvanpo
·5 mesi fa·discuss
How does this compare to FOKS (https://foks.pub)? Do both projects accomplish similar goals?

Edit: I see that this is primarily intended for federated social networks, but should be reusable for other uses. However for other e2ee systems (e.g. messaging, filesystems) where hiding your social graph is important, wouldn't a key directory be able to infer (part of) your social graph by recording which lookups you make? What's the best way to mitigate that?