I often visit news sites such as Hacker News. Can I use this "multi-account container" addon + something to get an experience like "iPhone Screen Time" and track my viewing time on news sites?
Noise is used today in several high-profile projects:
WhatsApp uses the "Noise Pipes" construction from the specification to perform encryption of client-server communications
WireGuard, a modern VPN, uses the Noise IK pattern to establish encrypted channels between clients
Slack's Nebula project, an overlay networking tool, uses Noise
The Lightning Network uses Noise
I2P uses Noise
There's a bunch of them, but part of the point of Noise is to be extremely prescriptive in order to simplify implementation. WireGuard is based on Noise, but has a lot more than just Noise in it.
Shamir seals
The default Vault config uses a Shamir seal. Instead of distributing the unseal key as a single key to an operator, Vault uses an algorithm known as Shamir's Secret Sharing to split the key into shards.
Google shell style guide [0] was also a good read. I thought that the "When to use Shell" section is a section that is good for any kind of guide, not just for bash / shell.
Also, maybe not so much a pitfall / bug, but something I had to deal with recently was that bash does not handle the EINTR when calling write() in the printf and echo builtins [1][2][3], etc.
If you are writing a script that is more than 100 lines long, or that uses non-straightforward control flow logic, you should rewrite it in a more structured language now. Bear in mind that scripts grow. Rewrite your script early to avoid a more time-consuming rewrite at a later date.
Q: what's up with this '/bin/echo' ?
A: bash's builtin 'echo' command does not check calls to write() against
errors. If you use it in the cgroup file system, you won't be
able to tell whether a command succeeded or failed.
For all five classes of attacks, the paper states that the root cause & mitigation is "Strict Identifier Verification".
6.2 Root Cause & Mitigation
6.2.1 Strict Identifier Verification
The root cause of all of the attacks identified in the preceding sections is failure to verify ownership of the claimed identifier.
2.2.2
Verify that the use of weak authenticators (such as SMS and email) is limited to secondary verification and transaction approval and not as a replacement for more secure authentication methods. Verify that stronger methods are offered before weak methods, users are aware of the risks, or that proper measures are in place to limit the risks of account compromise.
CWE-304
3.7.1
Verify the application ensures a full, valid login session or requires re-authentication or secondary verification before allowing any sensitive transactions or account modifications.
CWE-306
This seems like programmer error. Don't put restricted fields into types you're deserializing off the wire. It's like accepting user input and directly inserting it into a database without any validation.
If you don't define attributes explicitly on the model, Shale will ignore them.
Regarding attributes that you defined but still don't want to be assigned, you should probably filter them before passing them to Shale, or alternatively filter them with Shale before passing them further down the stack (e.g to ActiveRecord)
Are there any data binding libraries (deserialization, marshaling, pickling libraries) that do not have the class of weaknesses as the two CVEs (CVE-2022-22965, CVE-2010-1622)?
My understanding is as follows.
- Spring uses WebDataBinder [0].
-> CVEs: CVE-2022-22965 (Spring4Shell), CVE-2010-1622
-> CVE Fixes: First deny-list approach (2010), then partial allow-list approach (2022)
As long as you see this as a "CWE-20: Improper Input Validation" class problem, it seems like you try to fix this with a deny-list approach or a partial allow-list approach that needs additional fixing some time in the future.
