This is a cool idea. Please don't take the below as gratuitous negativity, just a reminder that these are hard problems for which there are no general solutions.
The README says it was tested on ZFS, but I doubt its utility in real-world deployments. I don't know of anyone who has significant data in a ZFS pool that isn't one or more of: raidz, compressed, encrypted, or embedded_data.
raidz implies that logical blocks aren't allocated as single physical blocks, but instead striped across multiple drives. Finding the SBX magic isn't enough to get you the rest of the block, but the checksum might (but, given that's it's CRC16, probably won't) let you try appending blocks from other disks to find the remainder of the block.
Transparent compression prevents you from identifying the magic header on each block, unless you decompress every disk sector that could have data (which is certainly feasible, but complicates recovery if you don't know which compression was in use, and zfs supports at least 3 kinds, and pools will generally have at least 1 in use whether compression is on or not).
Encryption (present in Oracle ZFS) means there's no plaintext data to recover.
embedded_data is a feature flag (and on by default in supporting versions of zfs) that packs blocks into block pointer structs when the amount of data is small. I can easily imagine the final block of an SBX, which may be mostly padding, getting compressed into one of those block pointers, which itself may be embedded in a larger structure which is part of an array that's compressed by default. That array is also probably long enough the compressed stream takes multiple blocks, and you may have lost some of the early ones, making the rest of it unrecoverable.
Here's the requisite cynical comment lamenting the death of "standards".
They could easily have implemented RFC 3091 [0], but instead they chose to create yet another proprietary API with vendor lock in, just as cloud service providers love to do.
Mentioned above RFC specifies port number 314159 which is greater than possible max 65535. So once again unrealistic standards that does not work force people to invent something sane.
/s
That is only a problem if you insist that Windows 3.1 is the best operating system in existence and if you are therefore unwilling to upgrade to Windows 95. The future is 32 bit, move on.
Regardless of the title editing discussion in the sibling comments, the title at the source was changed to "Omnibox hostname heuristics misunderstand internal redirects.", which accurately reflects the problem.
The client connects to the backend with a binary protocol that, among other things, gives it a token which it hands off to a web API that returns a valid cookie for the Steam store. They inject that cookie into the integrated browser instance.
The rationale was that if, password hashes got compromised, the attacker would only have until the next forced rotation to crack the passwords and take over accounts.
edit: or, in particularly terrible systems, if plaintext passwords were leaked.
Of course, that's only useful if it doesn't affect any other password security concerns, and it turns out that users who are forced to change their passwords frequently pick worse passwords, which is a bigger problem than the scenario this was supposed to protect against.
> it turns out that users who are forced to change their passwords frequently pick worse passwords
I can vouch for this. My rotating password at work is _______1, followed by _______2, then _______3, and so on. If a year-old hash gets cracked, it won’t take a rocket scientist to know that the password right now is _______4.
Get a password manager already, and let it just generate random passwords for you. Typing in passwords is so lame. :) If you are on macOS I highly recommend https://github.com/ravenac95/sudolikeaboss (and by extension 1Password).
I use a password manager. The password in question is one I type all the time, in dozens of different contexts, on a computer I don’t own and can’t modify :(.
This would be fantastic if work allowed me to install one. Sadly, some of us work in locked down environments so resort to such silliness to get through the work day.
I'm sorry. that sucks. That's just stupid. I could see employers requiring you to use their password manager, but ugh, not allowing use of one is just gross.
That said, lastpass can work without any modifications to your local machine(i.e. it can work without any browser plugins even) tho it's not very fabulously integrated, it does work... Assuming of course they don't block access to the lastpass website and JS.
> The rationale was that if, password hashes got compromised, the attacker would only have until the next forced rotation to crack the passwords and take over accounts.
In all fairness, it's a fair assumption. There is an attack vector where one gets an old password from 8 years ago by whatever means... and it is still valid.
The execution was terrible though. People started forcing password change every month [which is overkill to stop an attack that has a multi year timespan] and it created a whole new set of disasters.
That's going to go badly for you the moment the attackers realise what you've done. Admittedly they'll no longer be able to compromise the account, but you better really care about that.
How about ... a duress code that diverts to a system that looks like the real one but actually contains disinformation (possibly including a misdirection that makes them think you were on their side all along, so that they let you go)
I'd say that in most cases, the safest approach to a duress code would simply be to give real access to the system, possibly with lower privileges if it can be done without too much suspicion, while also triggering an alarm.
The cost of maintaining a sufficiently real-looking system is likely to be very high, with the very real risk that it won't fool an attacker.
