No, that's the entire point of my question. In Typescript (and Kotlin, as others have noted), the type system knows within the scope of that if statement that obj is a string, so it lets you call string-specific methods on obj withOUT introducing the new variable s.
if (typeof obj === 'string') {
// obj is a string
}
is really not anything meaningfully different than this
if (obj is string as obj) { // as in C#
// obj is a string (shadowing the outer scoped obj)
}
or this
if (obj instanceof String obj) {
// obj is a String here
}
you can imagine a pseudo TypeScript language like this
if (typeof obj === 'string' as obj) {
// obj is a string
}
Actual TypeScript merely allows you to elide the "as obj" and all it needs to trigger this is the "typeof obj === <string literal>" inside of an if expression. This can be done by a simple syntactic replacement, it doesn't require control flow analysis to get this specific feature.
But yes, if you have a more general computed expression, that would apply, but that was not the case you were stating.
Ie the variable isn't the issue (redefining in this case seems like a distinction without a difference)... However this does work in TS, which is a demonstration of CFA:
const isStr = typeof obj === "string";
if (isStr) {
// obj is str
}
For what it's worth I think CFA is useful in TypeScript based on it at its core being a structural typed bandaid over JS, but I think these specific CFA type narrowing features are redundant in stronger typed languages.
match thing {
case a: String =>
// use a as string
case a @ MyCaseClass(b: String, c, d) =>
// use a as the instance of MyCaseClass or use b as a string
}
There's a wide variety of attack methods, however most usually fall into one 1 of 2 types:
1. Active interception. The IMSI catcher is actively transmitting data to the victim device and forcing it to connect, appearing to be a normal cell tower. These are the most common and can usually get a very accurate location. Because 4G and earlier don't require the tower to authenticate to the device, only the device to the tower, there really isn't any vulnerability required to do this. They use different tricks to entice the victim to connect or update its location ( e.g: falsely inflating it's signal strength, appearing to be the only tower in a location, increasing the frequency of location updates ) . Some of these techniques are mentioned in the "Warnings" section of another article describing our Radio Sentinel app: https://armadillophone.com/blog/radio-sentinel
2. Passive interception. The IMSI catcher doesn't transmit any data, or transmits very little data. It's able to gather data and location from the victim using unencrypted data sent over the control plane. These generally aren't able to extract as much data, or as accurately as active interception, but they're much harder to detect. Usually they aren't able to extract the device's IMSI for example. However, there was a recent paper describing a passive IMSI catcher that was both extremely hard to detect and great at tracking victims: https://www.usenix.org/system/files/sec22summer_kotuliak.pdf
If you'd like a more technical description about the techniques described I'd be happy to jump into that too.
Sort of nuts that it is solely reliant on Microsoft to approve this change. Calls the whole .NET Foundation into question, imo. What good is open source if the sole steward has interests that conflict with the overall well-being of everything under the NET umbrella.
In EP 47 of Darknet Diaries the author cites an interview in which they said to have an ethics board which makes such decisions based on a variety of factors. They might find a country having issues with corruption, but still would like to help them catch them so called terrorists.
Interestingly, Azure had this bug some years ago too leading to an outage. https://azure.microsoft.com/en-us/blog/summary-of-windows-az...