Determining sample size of sectors in order to validate a data wipe procedure

I am doing some research into validating implementations of hardware optimized data wipe procedures in solid state storage devices, such as ATA8 Security Mode Erase and NVMe Secure Erase procedures.

As I have attempted to define what "success" means in this context I have established that a key measure would be that "it is possible to demonstrate a change in the value of a sector X of the storage medium between observations pre and post wipe."

The most rigorous approach to this would be to make a copy of all of the sectors, conduct the wipe procedure, then compare every sector’s new value with the reference copy and ensure that it is different. However this extremely time consuming and only really practical in a lab environment.

At the opposite extreme, simply checking that the initial sectors of the medium where the file-system structures are held are no long valid is not sufficient as the actual data is easily recoverable in their absence.

The middle ground then appears to be record a number of observations of sectors randomly selected from the medium, conduct the wipe, then compare. I believe the key to that is to determine in some formal fashion what how many sectors to sample in order for there to be any confidence in the outcome.

My understanding of sampling theory from college is all based upon sampling human populations using established models and tables, which I don’t think apply here. Accordingly, I am looking for suggestions as to techniques that can be applied to determine an appropriate sample size, or if due to the nature of the population it is not possible to actually construct such a sample with any useful meaning. I think I understand that statistical models rely upon the ability to reason about other people you didn’t observe based upon those you did, and it’s not clear to me that in this case there is a way to reason about the state of other sectors based upon the ones you check. If that were the case than perhaps all you are left with is making some arbitrary decision that X percentage of sectors being wiped is sufficient according to some policy standard, but that feels unsatisfactory to me.

This might be a Statistics question rather than a Computer Science question, but I am more comfortable with CS terminology that stats, and I think an understanding of how storage devices work is important to understanding the question, so I decided to start here. If this would be better off asked elsewhere please let me know.

Should OIDC introspection endpoint be used to validate the JWT access token?

My resource server exposes an API that expects JWT access tokens obtained using OpenID Connect.

So far the validation in the resource server side consisted on using the Realm public key to validate the JWT access token signature and check some other parameters suchs as expiration time.

Since the access token is a JWT, I already have information about the user (sub, role claims etc). So I wouldn’t need to invoke the introspection endpoint to get it.

However the introspection endpoint also anwers with the active state of a token. Does it make sense to use it as another step in the JWT access token validation process? Is it really necessary or should I consider it valid just checking the signature and the other claims?

Is the tradeoff of the added latency to invoke just another endpoint to validate worth it?

How can I validate that a PRNG’s output is insecure and predictable?

Say I talk to a developer who is using some output of a Pseudo-random number generator in order to do some security task. I know based upon common knowledge that only Cryptographically Secure Pseudo Random Numbers should be used.

However, I want to take this a step further – how would I create a proof-of-concept that the current method is not secure? I would guess that I need a large collection of outputs from this particular PRNG algorithm… But aside from that, I have no idea what else I would need to do. Is there a way for me to use a cryptanalysis tool to derive the seed or salt (assuming there is one)? How can I prove or disprove that such a PRNG is predictable using security auditing tools and/or scripts?

What technologies to use for the “front end” server to safely validate requests?

Imagine that I have a server made with technologies and programming language that are not secure for some reason, such as legacy versions with known vulnerabilities or anything else that may result in giving a hacker an opportunity to forge an invalid request to access more data or internals of the system.
Now to solve the security problem instead of rewriting the core I would like to place the 2nd server in front of it. It should have libraries to be able to accept simple HTTP requests with headers, parse/generate JSON, do the validation (to ensure it passes valid JSON to the 1st server, i.e. recursively check structure, sizes and encodings) and so be quick, simple and safe enough to make is possible to rarely update it and use any unsafe protocol for easier communication with the 1st server.
What technologies should I use for the 2nd server? What programming language?

Validate functions before inserting then into functions.php

I’d like to know if the functions below follow best practices in terms of ensuring the best performance and security before deploying to the main site.

1. Remove paged category description

add_action( 'wp', 'tu_remove_paged_category_description' ); function tu_remove_paged_category_description() {     $  page = (get_query_var('paged')) ? get_query_var('paged') : 1;     if ( 1 !== $  page ) {         remove_action( 'generate_archive_title', 'generate_archive_title' );         add_action( 'generate_archive_title', 'tu_custom_paged_archive_title' );     } }  function tu_custom_paged_archive_title() {     ?>     <header class="page-header">         <h1 class="page-title">             <?php the_archive_title(); ?>         </h1>     </header>     <?php } 

2. Allow HTML editing of author biography

remove_filter('pre_user_description', 'wp_filter_kses');   add_filter( 'pre_user_description', 'wp_filter_post_kses' ); 

3. Limit number of posts on first page of selected categories

add_action( 'pre_get_posts', function( $  query ) {     if ( ! is_main_query() || is_admin() ) {         return;     }     if ( ! is_paged() && is_category(array (2 , 3) )) {         $  query->set( 'posts_per_page', 8 );     } } ); 

4. prevent the category widget from using the category description as the list item title attribute

function mbf_disable_cat_desc_widget_list_titles ( $  cat_args ) {     $  cat_args[ 'use_desc_for_title' ] = 0;     return $  cat_args; } add_filter( 'widget_categories_args', 'mbf_disable_cat_desc_widget_list_titles' ); 

5. Create shortcode by listing subcategories belonging to that category

function mbf_subcategories($  atts, $  content = null ){extract(shortcode_atts(array('count'=>'10','show_count' =>0,'hide_empty'=>0), $  atts)); $  parents = array(); if(is_category())   { //If on a Category Archive Page, show its subcategories, if any         $  cat = get_category(get_query_var('cat'), false);         $  id = ($  cat->category_parent==0)? $  cat->cat_ID : $  cat->category_parent;          if (get_term_children($  id, 'category') != "") {         //List of subcategories with parent category in title.             $  args =( array('show_option_none'=>'','title_li' => '','echo'=>0,'show_count'=> $  show_count,'number' => $  count,'hide_empty'=>$  hide_empty,'child_of'=>$  id));              $  output = '<ol>'.wp_list_categories($  args).'</ol>';          }     }     return $  output; } add_shortcode('mbf_subcategories', 'mbf_subcategories'); 

validate Unique users in 2 columns sharepoint List

I have a list which stores information about new sharepoint site requests. Where i have 2 fields (people and Groups)

  • Primary Site Collection Admin
  • Secondary Site Collection admin

Both of this fields are pointing to SpSite owners Groups in the site. Now when users are filling up the NewForm.aspx i need to validate that they are unique users.

How do we do that? Code I am using is:

<script language="javascript" src="/sites/services/SiteAssets/scripts/jquery-1.11.1.min.js" type="text/javascript"></script><script type="text/javascript">  function PreSaveAction() { var PickerPerson1 = getPickerInputElement("Primary_x0020_Site_x0020_Adminis_41bc75f7-fb89-4d45-897a-372aee8074b6_$  ClientPeoplePicker");  alert(PickerPerson1);  }   function getPickerInputElement(identifier)     {          var tags = document.getElementsByTagName('DIV');          for (var i=0; i < tags.length; i++)        {               var tempString = tags[i].id;                   if ((tempString.indexOf('UserField_upLevelDiv') > 0))     {            if(identifier == tempString)        {         var innerSpans = tags[i].getElementsByTagName("SPAN");               for(var j=0; j < innerSpans.length; j++)            {               if(innerSpans[j].id == 'content')               {                  return innerSpans[j].innerHTML;                }            }           }             }          }          return null;       }  </script> 

Validate Infopath form by another SharePoint list

I have 1 Requirement list and 1 Tasks list with InfoPath 2010 forms.

  • Tasks list having Lookup column as of Requirement Title field.
  • Both lists having Status field.

When user save Requirement (InfoPath form) with Status=Completed I want to check whether there is any corresponding tasks exist in tasks list with Status != Completed.

if so I want to show a message (or form validation) to the user saying

“Corresponding Task is open for this requirement.Please complete the open task in order to complete the requirement.”

Is it possible?

Best Way to Validate E-mail (before sending link to complete registration)

I have a web application used by users with “little experience”.

The only field that exists on the home page is email. If the user is already registered I request the password, otherwise I send an email to him to finish the registration.

My problem is that users occasionally type the wrong email and are waiting to receive the email to complete the registration.

I started a job to create a “Did you mean” tool, so if he type “anyone@gmail.cmo” I suggest “anyone@gmail.com” …

I wanted your opinion on two topics:

1 – Should I open another field for him to re-type the email before sending the link to finalize the registration.

2 – Should I use a host validation API like https://trumail.io/ (afraid to block an email OK).

Or if someone has a similar experience and wants to share the solution that brought greater conversion would help me a lot