Threads for arpyzo

6

arpyzo 2 months ago | link | on: It Takes a Village to Separate A Family

Good on you! The more people stand up for what is just, the better world gets for everyone.

4

arpyzo 8 months ago | link | on: How To Tell If Your Linux Server Has Been Compromised

I disagree that you should only shut down the server if you’re not very technical. At the moment you learn of a breach, you have no idea what back doors the intruder has installed in your system, or your network as a whole. If you want to mitigate the intrusion, you should shut the system down until you can examine it in an environment where you’re certain it will no longer be accessible to the intruder.

What about shutting off the server’s network access? That may not be sufficient. What if the intruder has installed a daemon that switches it back on? How about shutting down the switch port the server is connected to? What if the intruder has access to your switch and can turn that port back on?

0

arpyzo 1 year ago | link | on: We need a course on "Mundane Data Types"

Times. Dates. Floats. Non-English text. Currencies.

Only one of these things is actually a data type. Proof this course really is needed?
1. 4
  
  jitterted 1 year ago | link
  
  What definition are you using for “data type”, because I count more than 1 with my intuitive (i.e., non-formal) definition?
2. 4
  
  Lanny 1 year ago | link
  
  Time, dates, real numbers, text, and currency all fit the textbook definition of abstract data type quite nicely. I think it’s safe to assume the author intended “floats” and “non-english text” to refer to the representation of these things in computer systems which, while not strictly a study of abstract data types, seems to be a reasonable fit with the intention of such a course.

3

arpyzo 1 year ago | link | on: One Line of Code that Compromises Your Server

Why would you store an admin flag, or any other sensitive information in a cookie? Keep the session details on a server and reference them via a session id that’s stored in the cookie. An attacker would now need to guess, an existing, unexpired admin session id (impossible if correctly implemented) to break in. No need to encrypt the cookie because it doesn’t contain anything that’s easily manipulated.

Note: An attacker could also steal a session cookie from an admin, but you’ve got bigger problems if this is possible. Also note there are ways to harden against this.
1. 4
  
  danielrheath 1 year ago | link
  
  It’s (vastly) simpler and equally secure to store MAC-signed data client-side, provided you use a strong key and don’t leak it.
2. 2
  
  tedu 1 year ago | link
  
  I have the same thoughts, but apparently every framework in existence does things differently. You must not be web scale.
  1. 2
    
    robey 1 year ago | link
    
    I’ve never heard of a session id that wasn’t just a randomly generated key into a cache. I’m now appropriately appalled. Yikes…
  2. 1
    
    nickzoic 1 year ago | link
    
    Umm, Django uses random session IDs which refer to a server-side store (unless you configure cookie-based sessions, so don’t). Node.js ‘express-session’ ditto.
    
    Client-side-sessions used to be a performance thing back when looking up a session was a database operation on the backend and you were running a farm of stateless application layer servers with no shared cache and your load balancer didn’t support sticky sessions and the whole page reloaded every time someone clicked a button. But these days … um, I don’t see the point either.