找回当前桌面背景图片文件 – Windows 7-10


No Comments

Debian 环境配置 IKEv2

  • 安装 StrongSwan 及 pki
    • apt-get install strongswan
    • apt-get install strongswan-pki
  • 启动 StrongSwan
  • 生成证书
    • CA 根证书
    • 服务器端证书
    • 客户端证书
    • 打包证书
  • 安装证书
  • 配置 ipsec – ipsec.conf
  • 配置验证方式 – ipsec.secrets
  • 开启内核转发 – sysctl
  • 配置防火墙 – iptables
  • 配置客户端
    • 导入 CA 根证书
No Comments

Attack Prevention for JWT Authentication with Single-Page Application

Secure Cookies

Man-In-the-Middle (MITM)

  • Use HTTPS/TLS everywhere a cookie will be in transit
    • Set Secure flag on cookies – will prevent cookies from being transmitted in non-secure network

Cross-Site Request Forgery (CSRF)

Attacker can create a page on some host which has some JavaScript code that invokes our token generation URL and gets a JWT token. If you happened to have gotten to my page after you had logged in (which with SSO, it’s more and more likely that you have), then that JavaScript code can get a JWT token and invoke REST services on your behalf.

Another scenario could be that an attacker creates a page with malicious image, for example, <img src=”https://trustyapp.com/transferMoney?to=BadGuy&amount=10000″>. In this case, browser will send cookies for trustyapp.com, and server trusts cookies and assume this was an intended user action.

This is because that HTML tags do not follow the Same-Origin-Policy when making GET requests.

  • Synchronizer Token – for form-based web app
  • Double-Submit Cookie – for modern apps, like SPA
    • Use two cookies
      • One authentication cookie, like Session ID or JWT token
      • One strong random value, let’s call it csrf-token
    • Client needs to send back the csrf-token cookie in a custom HTTP header, triggering the Same-Origin-Policy
    • Server needs to verify that the custom HTTP header for the csrf-token has the correct value
    • Server needs to have correct Cross-Origin Resource Sharing policy to only receive requests from trusted origin, preferably only from the same host
      • So that we can ensure that the forged page cannot send requests to the server

Cross-Site Scripting (XSS)

  • Escape content
    • Escape user input from forms so that user will not be able to inject html/javascript code to the page
  • Handling customization with caution
  • Set HttpOnly flag on authentication cookies
    • HttpOnly cookies are NOT accessible by JavaScript. These cookies will only be automatically attached to the request header by the browser

Adopt JWT the Right Way

Use the claims body wisely

  • Include role information in “scope” part to handle client side UI authorization locally

Use OAuth2 + JWT

  • Access & Refresh Tokens
    • Access token expires before refresh token
    • Access token is stateless, trusted by signature, used for client-server communication
    • Refresh token is stateful, can be revoked, used to get more access token
  • For example
    • Super-secure banking application (want to force user out often)
      • Access token TTL – 1 min
      • Refresh token TTL – 30 mins
    • Mobile/social app (user should always stay logged in)
      • Access token TTL – 1 hour
      • Refresh token TTL – 1 year

Storing & Transmitting JWTs – in the browser

  • Local storage is XSS vulnerable
  • Cookies with HttpOnly and Secure flags, and other CSRF prevention, are secure
    • However this will prevent us from being able to inject the token as HTTP request header
    • Will need to pass the token as part of the cookie
      • Existing framework might not support that (OWSM multi_token_rest_service_policy)
  • Avoid cross-domain requests where possible


JWT Authentication with AngularJS – https://www.youtube.com/watch?v=mecILj3p4VA

No Comments

关于8.12“DC District Court废STEM-Extension”一案的个人解读



故事的起因就是一帮美国技术工人觉得饭碗都让外国人抢了,就有个叫Washington Alliance Of Technology Workers的组织跑出来把美国国土安全局给告了,说他们在2008年发的这个OPT STEM extension不合法,要废除。


DHS noted that the 2008 Rule was issued without notice and public comment “[t]o avoid a loss of skilled students through the next round of H-1B filings in April 2008.”

同时还说DHS在推出这条规定以后改了好几次都没有公开听证,而且STEM list的修改他们就直接在自己网站上改了,见原文:

Since promulgating this interim rule, DHS has on several occasions modified, without notice and comment, the list of disciplines that qualify for the STEM extension via updates to their website.


In Counts I-III, plaintiff alleges that the OPT program exceeds DHS’s statutory authority and conflicts with other statutory requirements, including the labor certifications related to H-1B visas.
这条被法院dismissed了,就不细看了。大概就是说DHS没权利制定这么一个OPT program,开OPT违反了诸多法律,但法院没理这条。原文里有很长一段分析。

In Count IV, plaintiff argues that DHS acted arbitrarily and capriciously in promulgating the 2008 Rule.
这条是说DHS在2008年推出STEM EXT的时候是武断及任性的,办事欠考虑。

In Count V, plaintiff argues that DHS lacked good cause to waive the notice and comment requirement in promulgating the rule.

In Count VI, plaintiff contends that DHS’s reference to an external website to list the STEM courses of study violates the relevant rules on incorporation by reference.
这条是找STEM courses列表的茬,说又违反了一个规定,具体没有太看。

In Counts VII-VIII, plaintiff claims that DHS improperly failed to allow for notice and comment before issuing the 2011 and 2012 modifications of the list of STEM disciplines.

And in Count IX, plaintiff argues that the 2008 Rule and the subsequent 2011 and 2012 modifications exceeded DHS’s statutory authority.
最后这条是说OPT extension以及接下来2011和2012年的修改超出了DHS的立法范围。这条和第一条不一样,第一条是说OPT这个program本身就不行,被法院否了,这条是说extension这个事儿。



大概就是说法院认为2008年的时候DHS给出的“来不及做听证就推出规定的理由”不够有“说服力(good cause)”,所以不行,你们得重新听证,过了才可以继续实行这个规定。

然而在判决书的结尾提到下面一段原文,大意就是现在在用STEM extension的人太多了,如果我们直接判决取消这个规定会有上万人立即失去工作许可/身份,要被遣送出境,对美国的科技企业影响太大。所以法院提出了取消STEM extension的判决,但这个判决的诉讼令(vacatur)被延迟(stayed)到2016年2月12日执行。在此之前DHS有半年时间来进行听证或者干一些别的事儿来进行补救。

While DHS has not disclosed the number of aliens currently taking advantage of the OPT STEM extension, the Court has no doubt that vacating the 2008 Rule would force “thousands of foreign students with work authorizations . . . to scramble to depart the United States. Vacating the 2008 Rule could also impose a costly burden on the U.S. tech sector if thousands of young workers had to leave their jobs in short order. The Court sees no way of immediately restoring the pre-2008 status quo without causing substantial hardship for foreign students and a major labor disruption for the technology sector. As such, the Court will order that the 2008 Rule – and its subsequent amendments – be vacated, but it will order that the vacatur be stayed.

The stay will last until February 12, 2016, during which time DHS can submit the 2008 Rule for proper notice and comment.


按照文中含义,有可能所有正在使用17-months extension以及将要申请extension的人都会受到影响,因为如果这条规定被废止,那么即便已经拿到工卡(EAD),EAD上的“Terms and Conditions”一项也是没有法律效应的。但这个影响不会发生在2016年2月12号之前。正在使用12个月OPT的人在OPT到期前也不会受到影响。

同时做出这个判决的是DC District Court,DHS还有上诉机会。而且DHS也有机会去重新进行听证并对案件中所提到的不合规定的部分进行修正,这样2008 Rule(STEM extension)仍有可能继续实行。



1 Comment


在Project > Properties > Deployment中可以改相关设置,其中有一项是”Additional Manifest Files to Merge into MANIFEST.MF”,即为添加自定义内容的栏目,然而我试了一个下午都没有什么卵用,直到在网上看到一篇blog才得救。


No Comments