HackerTrans
TopNewTrendsCommentsPastAskShowJobs

alipitch

no profile record

comments

alipitch
·3 năm trước·discuss
I often visit news sites such as Hacker News. Can I use this "multi-account container" addon + something to get an experience like "iPhone Screen Time" and track my viewing time on news sites?
alipitch
·4 năm trước·discuss
Which did method supports rotation?

  did:key Not Supported
  did:web ???
Do only Proof-of-work methods (e.g. blockchains) support rotation?

  did:ion
Are there no did method based on keybase like tech?

https://www.w3.org/TR/2022/REC-did-core-20220719/#verificati...

  9.7 Verification Method Rotation
  Not all DID methods support verification method rotation.
https://github.com/w3c-ccg/did-method-key/blob/f511ed730f7d2...

  The did:key Method v0.7
  5.1 Key Rotation Not Supported
  This section is non-normative.
https://github.com/w3c-ccg/did-method-web/blob/1b4225ffd9be0...

  ???
https://lists.w3.org/Archives/Public/public-new-work/2021Sep...

   * Proof-of-work methods (e.g. blockchains) are harmful for sustainability
  (s12y).
alipitch
·4 năm trước·discuss
I found a page by Duo Labs listing Noise in Production.

https://duo.com/labs/tech-notes/noise-protocol-framework-int...

  Noise is used today in several high-profile projects:
    WhatsApp uses the "Noise Pipes" construction from the specification to perform encryption of client-server communications
    WireGuard, a modern VPN, uses the Noise IK pattern to establish encrypted channels between clients
    Slack's Nebula project, an overlay networking tool, uses Noise
    The Lightning Network uses Noise
    I2P uses Noise
alipitch
·4 năm trước·discuss
What are real world implementations of the Noise Protocol? https://github.com/noiseprotocol/noise_spec/blob/v34/noise.m...

Quick search shows WireGuard protocol, but I am not sure if how much of the WireGuard protocol is the same as the Noise Protocol.

https://www.wireguard.com/formal-verification/ https://www.wireguard.com/papers/wireguard-formal-verificati...

  The WireGuard protocol is extensively detailed in [2], which itself is based on the NoiseIK [3] handshake.
alipitch
·4 năm trước·discuss
For those who are not familiar with the term DRL in "SOC2 DRL line item", it is document request list (DRL).
alipitch
·4 năm trước·discuss
Thanks. Going through the docs now.

https://www.vaultproject.io/docs/concepts/seal#shamir-seals

  Shamir seals
  The default Vault config uses a Shamir seal. Instead of distributing the unseal key as a single key to an operator, Vault uses an algorithm known as Shamir's Secret Sharing to split the key into shards.
alipitch
·4 năm trước·discuss
Good guide to shell in general.

Google shell style guide [0] was also a good read. I thought that the "When to use Shell" section is a section that is good for any kind of guide, not just for bash / shell.

Also, maybe not so much a pitfall / bug, but something I had to deal with recently was that bash does not handle the EINTR when calling write() in the printf and echo builtins [1][2][3], etc.

[0] https://google.github.io/styleguide/shellguide.html#s1.2-whe...

  If you are writing a script that is more than 100 lines long, or that uses non-straightforward control flow logic, you should rewrite it in a more structured language now. Bear in mind that scripts grow. Rewrite your script early to avoid a more time-consuming rewrite at a later date.
[1] https://unix.stackexchange.com/a/487260

  handle the EINTR when calling write() in the printf and echo builtins. 
[2] https://github.com/torvalds/linux/blob/ca1fdab7fd27eb069df13...

  Q: what's up with this '/bin/echo' ?

  A: bash's builtin 'echo' command does not check calls to write() against
   errors. If you use it in the cgroup file system, you won't be
   able to tell whether a command succeeded or failed.
[3] https://lists.gnu.org/archive/html/bug-bash/2018-01/msg00031...

  write() not retried after EINTR in printf and echo
alipitch
·4 năm trước·discuss
Thanks! Also checked the github site. https://github.com/evildmp/diataxis-documentation-framework
alipitch
·4 năm trước·discuss
"Strict Identifier Verification" look kind of like CWE-304.

CWE-304: Missing Critical Step in Authentication <https://cwe.mitre.org/data/definitions/304.html>

Looking at the CWE-304 wording, this does not look like the right CWE, but OWASP ASVP 2.2.2 points to this CWE.

OWASP ASVP 2.2.2 <https://github.com/OWASP/ASVS/blob/v4.0.3_release/4.0/en/0x1...>

  2.2.2
  Verify that the use of weak authenticators (such as SMS and email) is limited to secondary verification and transaction approval and not as a replacement for more secure authentication methods. Verify that stronger methods are offered before weak methods, users are aware of the risks, or that proper measures are in place to limit the risks of account compromise.
  CWE-304
alipitch
·4 năm trước·discuss
For all five classes of attacks, the paper states that the root cause & mitigation is "Strict Identifier Verification".

  6.2 Root Cause & Mitigation
  6.2.1 Strict Identifier Verification
  The root cause of all of the attacks identified in the preceding sections is failure to verify ownership of the claimed identifier.
alipitch
·4 năm trước·discuss
possibly CWE-306?

CWE-306: Missing Authentication for Critical Function <https://cwe.mitre.org/data/definitions/306.html>

Looking at the CWE-306 wording, this does not look like the right CWE, but OWASP ASVP 3.7.1 points to this CWE.

OWASP ASVP 3.7.1 <https://github.com/OWASP/ASVS/blob/v4.0.3_release/4.0/en/0x1...>

  3.7.1
  Verify the application ensures a full, valid login session or requires re-authentication or secondary verification before allowing any sensitive transactions or account modifications.
  CWE-306
alipitch
·4 năm trước·discuss
- Unexpired Email Change (UE)
alipitch
·4 năm trước·discuss
What would the CWEs be for the five classes of attacks?

- Classic-Federated Merge (CFM)

- Unexpired Session (US)

- Trojan Identifier (TID)

- Unexpired Email Change (UE)

- Non-verifying IdP (NV)
alipitch
·4 năm trước·discuss
When using the shale gem, how would you avoid the mass assignment problem? Is there a configuration, or a way of using the shale gem to avoid it?

CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes <https://cwe.mitre.org/data/definitions/915.html> (Ruby on Rails Mass assignment bug)
alipitch
·4 năm trước·discuss
Also to understand the problem correctly, what is the class of weakness of the two CVEs (CVE-2022-22965, CVE-2010-1622)?

The following look like good candidates.

- CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes <https://cwe.mitre.org/data/definitions/915.html> (Ruby on Rails Mass assignment bug)

- CWE-502: Deserialization of Untrusted Data <https://cwe.mitre.org/data/definitions/502.html>

- CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') <https://cwe.mitre.org/data/definitions/470.html>

I think the one assigned (CWE-20:) is not a good approach to dealing with the "class" of weaknesses.

- CWE-20: Improper Input Validation <https://cwe.mitre.org/data/definitions/20.html>

As long as you see this as a "CWE-20: Improper Input Validation" class problem, it seems like you try to fix this with a deny-list approach or a partial allow-list approach that needs additional fixing some time in the future.
alipitch
·4 năm trước·discuss
Are there any data binding libraries (deserialization, marshaling, pickling libraries) that do not have the class of weaknesses as the two CVEs (CVE-2022-22965, CVE-2010-1622)?

My understanding is as follows.

- Spring uses WebDataBinder [0]. -> CVEs: CVE-2022-22965 (Spring4Shell), CVE-2010-1622 -> CVE Fixes: First deny-list approach (2010), then partial allow-list approach (2022)

- Struts uses OGNL. -> CVEs: CVE-2017-5638 (Equifax breach), and others -> CVE Fixes: deny-list approach (-2017-)

If there are any for Java, can they be used with Spring Boot (Spring Framework)? Maybe there are some for in another programming language?

[0] https://docs.spring.io/spring-framework/docs/current/javadoc... > Special DataBinder for data binding from web request parameters to JavaBean objects.
alipitch
·4 năm trước·discuss
Are there any data binding libraries (deserialization, marshaling, pickling libraries) that do not have the class of weaknesses as the two CVEs (CVE-2022-22965, CVE-2010-1622)?

If there are any for Java, can they be used with Spring Boot (Spring Framework)? Maybe there are some for in another programming language?
alipitch
·4 năm trước·discuss
> Complexity : When interviewing candidates the most common answer to "any pitfalls to Spring?" is that it has a steep learning curve. Whether or not that's true is another discussion for another day,

This article was from 2014, and not about CVE-2022-22965 (Spring4Shell) nor CVE-2010-1622. However, the "Complexity" point makes me think about SerDes (Serializer/Deserializer) libraries.

Are there any data binding libraries (deserialization, marshaling, pickling libraries) that do not have the class of weaknesses as the two CVEs (CWEs)? If there are any for Java, can they be used with Spring Boot (Spring Framework)? Maybe there are some for in another programming language?