I often visit news sites such as Hacker News. Can I use this "multi-account container" addon + something to get an experience like "iPhone Screen Time" and track my viewing time on news sites?
Readit Newsalipitch commented on Multi-Account Containers support.mozilla.org/en-US... · Posted by u/throw0101c
alipitch commented on Decentralized Identifiers (DIDs) v1.0 Becomes a W3C Recommendation w3.org/2022/07/pressrelea... · Posted by u/Tomte
Which did method supports rotation?
did:key Not Supported
did:web ???
did:ion
https://www.w3.org/TR/2022/REC-did-core-20220719/#verificati...
9.7 Verification Method Rotation
Not all DID methods support verification method rotation.
The did:key Method v0.7
5.1 Key Rotation Not Supported
This section is non-normative.
???
* Proof-of-work methods (e.g. blockchains) are harmful for sustainability
(s12y).What are real world implementations of the Noise Protocol? https://github.com/noiseprotocol/noise_spec/blob/v34/noise.m...
Quick search shows WireGuard protocol, but I am not sure if how much of the WireGuard protocol is the same as the Noise Protocol.
https://www.wireguard.com/formal-verification/https://www.wireguard.com/papers/wireguard-formal-verificati...
The WireGuard protocol is extensively detailed in [2], which itself is based on the NoiseIK [3] handshake.I found a page by Duo Labs listing Noise in Production.
https://duo.com/labs/tech-notes/noise-protocol-framework-int...
Noise is used today in several high-profile projects:
WhatsApp uses the "Noise Pipes" construction from the specification to perform encryption of client-server communications
WireGuard, a modern VPN, uses the Noise IK pattern to establish encrypted channels between clients
Slack's Nebula project, an overlay networking tool, uses Noise
The Lightning Network uses Noise
I2P uses NoiseRight, I get that, but you could have done the two config things I just mentioned with OpenSSL.
I get why you didn't use OpenSSL. The normal thing for someone like you to do in 2022 would be to use Noise.
What are real world implementations of the Noise Protocol? https://github.com/noiseprotocol/noise_spec/blob/v34/noise.m...
Quick search shows WireGuard protocol, but I am not sure if how much of the WireGuard protocol is the same as the Noise Protocol.
https://www.wireguard.com/formal-verification/https://www.wireguard.com/papers/wireguard-formal-verificati...
The WireGuard protocol is extensively detailed in [2], which itself is based on the NoiseIK [3] handshake.alipitch commented on How to Share a Secret [pdf] (1979) web.mit.edu/6.857/OldStuf... · Posted by u/teleforce
Hashicorp Vault by default makes use of this mechanism to ensure certain actions (most notably starting Vault and unlocking the secret store for use) require multiple users to approve it.
Thanks. Going through the docs now.
https://www.vaultproject.io/docs/concepts/seal#shamir-seals
Shamir seals
The default Vault config uses a Shamir seal. Instead of distributing the unseal key as a single key to an operator, Vault uses an algorithm known as Shamir's Secret Sharing to split the key into shards.Good guide to shell in general.
Google shell style guide [0] was also a good read. I thought that the "When to use Shell" section is a section that is good for any kind of guide, not just for bash / shell.
Also, maybe not so much a pitfall / bug, but something I had to deal with recently was that bash does not handle the EINTR when calling write() in the printf and echo builtins [1][2][3], etc.
[0] https://google.github.io/styleguide/shellguide.html#s1.2-whe...
If you are writing a script that is more than 100 lines long, or that uses non-straightforward control flow logic, you should rewrite it in a more structured language now. Bear in mind that scripts grow. Rewrite your script early to avoid a more time-consuming rewrite at a later date.
handle the EINTR when calling write() in the printf and echo builtins.
Q: what's up with this '/bin/echo' ?
A: bash's builtin 'echo' command does not check calls to write() against
errors. If you use it in the cgroup file system, you won't be
able to tell whether a command succeeded or failed.
write() not retried after EINTR in printf and echoalipitch commented on The Documentation Triangle, or, why code isn't self documenting sourceless.org/posts/the-... · Posted by u/Brajeshwar
The same excellent documentation framework is also available on this company-independent website: diataxis.fr
Thanks! Also checked the github site. https://github.com/evildmp/diataxis-documentation-framework
For all five classes of attacks, the paper states that the root cause & mitigation is "Strict Identifier Verification".
6.2 Root Cause & Mitigation
6.2.1 Strict Identifier Verification
The root cause of all of the attacks identified in the preceding sections is failure to verify ownership of the claimed identifier."Strict Identifier Verification" look kind of like CWE-304.
CWE-304: Missing Critical Step in Authentication <https://cwe.mitre.org/data/definitions/304.html>
Looking at the CWE-304 wording, this does not look like the right CWE, but OWASP ASVP 2.2.2 points to this CWE.
OWASP ASVP 2.2.2 <https://github.com/OWASP/ASVS/blob/v4.0.3_release/4.0/en/0x1...>
2.2.2
Verify that the use of weak authenticators (such as SMS and email) is limited to secondary verification and transaction approval and not as a replacement for more secure authentication methods. Verify that stronger methods are offered before weak methods, users are aware of the risks, or that proper measures are in place to limit the risks of account compromise.
CWE-304What would the CWEs be for the five classes of attacks?
- Classic-Federated Merge (CFM)
- Unexpired Session (US)
- Trojan Identifier (TID)
- Unexpired Email Change (UE)
- Non-verifying IdP (NV)
For all five classes of attacks, the paper states that the root cause & mitigation is "Strict Identifier Verification".
6.2 Root Cause & Mitigation
6.2.1 Strict Identifier Verification
The root cause of all of the attacks identified in the preceding sections is failure to verify ownership of the claimed identifier.