Single user mode looses connection

So just a quick background, we are trying to update the database design, in a production environment. But we want to be sure, no users try to login during that time. So we started looking into single user mode, but that gave us some trouble, sometimes we would lose the connection in the middle of the update. So we setup a test environment to replicate the behavior.

We are using Microsoft SQL server 2017, with the AdventureWorks2017 database to replicate the issue. On the database we have turned off Auto close and Auto Update Statistics Asynchronously

If we then have two connections to the server, using the master database. Tell one of them to run this script

USE MASTER SET DEADLOCK_PRIORITY HIGH ALTER DATABASE [AdventureWorks2017] SET SINGLE_USER WITH ROLLBACK IMMEDIATE GO  DECLARE @kill varchar(max) = ''; SELECT @kill = @kill + 'KILL ' + CONVERT(varchar(10), spid) + '; ' FROM master..sysprocesses  WHERE spid > 50 AND dbid = DB_ID('AdventureWorks2017') EXEC(@kill);  USE AdventureWorks2017 GO  DECLARE @cnt INT = 0; WHILE @cnt < 10000 BEGIN   SELECT TOP 1000 * from Person.Person;    SET @cnt = @cnt + 1; end; 

And then on the other repeatedly run

SELECT TOP 1000 * FROM AdventureWorks2017.Person.Person; GO; 

At some point the first script stops working, and complains with an error

Database ‘AdventureWorks2017’ is already open and can only have one user at a time.

But to our understanding, this should not happen cause it still has the connection. Note this doesn’t happen all the time. But it’s still fairly consistent.

Is there anything that we are missing, or can this be an issue with the SQL server?

Can a Solarian’s ability to enter a Stellar Mode take into consideration conditions affecting her?

I know there is GM discretion allowed as to the situations affecting a Solarian’s ability to enter a Stellar Mode, but I would like other GMs opinions on this situation.

RAW seem to generally require that the Solarian be "in combat" and facing a significant threat. In fact, the description specifically says that:

you must be facing a significant enemy (see page 242).

Description of Significant Enemy:

…a creature with a CR less than or equal to your character level – 4 is not a significant enemy

So… nowhere does it give consideration as to the Solarian’s personal situation.

In a hypothetical situation even a lowly CR-1 creature would present a dire threat to a Paralyzed 6th level Solarian, but she would not be permitted to enter Stellar Mode and become attuned, to use her Corona Revelation as a defense because of the low CR rating of the enemy.

In our example situation, the party encountered a group of Ghoul Soldiers who managed to paralyze the Solarian via bite. Combat moved into the next room, leaving the Solarian alone and still paralyzed (for 2 more rounds). I presumed the Solarian’s Stellar Mode ended because there was no current threat to her, and stated such. She argued that the state of paralyzation itself constituted a threat and/or the fact that I still had her in "melee round" mode meant she was still "in combat" (she wanted to become fully attuned so she could jump back in the fight if/when released from paralyzation). I ruled that it must be a threat from an enemy and that her Stellar Mode ended, but she was still in "melee mode" so I could track the rounds of her paralyzation; she was unhappy with this decision.

Anomaly Score Mode and blocking

I am trying the latest ruleset with Modsecurity and use crs-setup.conf.example (https://github.com/coreruleset/coreruleset/blob/v3.3/dev/crs-setup.conf.example) as an example but it seems that blocking never triggers.

As in the documentation described https://www.modsecurity.org/CRS/Documentation/anomaly.html the section :

SecAction
"id:’900004′,
phase:1,
nolog,
pass,
t:none,
setvar:tx.anomaly_score_blocking=on"

Need to be enabled but that not seem to be the case as in CRS 3.2 this section does not exists.

Is it something else need to be change to enable blocking ? Is it something enabled by default ?

Thanks in advanced.

Is AES ECB mode safe for one block Encryption then MAC with same key?

I want to do something really basic but I need to be sure that the process is safe :

Problem

Alice and Bob have to agree on a secret 6 digits PIN. They each have a pre-shared aes symetric key k and a AES-128 block cipher. The PIN will then be used only once secretly.

I want to take care of Man-in-the-Middle.

Solution

  • Alice creates à 128 bits random number : Arand
  • She encrypts Arand with basic ECB(Arand, k) and gets Acipher
  • Again, She encrypts Acipherwith ECB(Acipher, k), as a MAC, and gets Amac
  • Alice sends to Bob Acipher|Amac

Bob does the same and sends Bcipher|Bmac to Alice

  • The two of them verify the Mac by encrypting [A|B]cipher and comparing it to [A|B]mac.

  • If the mac is ok, they uncipher [A|B]cipher and get the [A|B]rand of the other.

  • They compute the 6 digits PIN by taking 3 digits in Arand and 3 in Brand.

Question

Is it safe to use ECB mode in this particular case ? Is it safe to use the same key for encryption and for the mac in this case ? Is there a much easier solution to only agree on 6 digits ?

my answer is : as we use fixed size one-bloc long messages, it’s ok am i right ?

I know we should’nt imagine ourself our own algorithms but this one seems really trivial.

Thanks ! Louis

U2F instead of password for “sudo mode”?

Some apps (Github being the most prominent IMHO) allow using U2F token as a means of validation for “sudo mode” (potentially dangerous actions in UI like creating a new token) instead of password.

Intuitively it seems not very safe as a stolen device will most probably still contain the U2F token. Am I missing something that makes it safe enough?