每日更新 / 推荐
时间 | 节点 | |
---|---|---|
2022年5月26日 22:13 | Sylvain Kerkour | 42 Companies using Rust in production A lot of people want to learn Rust but are afraid that the language or the ecosystem is not production-ready yet, or that they may not find a job. Be reassured, Rust is already used in production, from small shops to the largest companies in the world, serving billions of 许多人想学习 Rust,但是他们担心语言或者生态系统还没有做好生产准备,或者他们可能找不到工作。值得放心的是,从小商店到世界上最大的公司,锈已经用于生产,为数十亿人提供服务 |
2022年5月26日 22:13 | Sylvain Kerkour | Hello Simplon Hello everyone, Yesterday I had the opportunity to exchange with students from the Simplon school. We talked about programming, infosec, entrepreneurship, and async work. Here are some links we shared during the meeting and some additional to deepen the topics we discussed. Async life The next frontier after remote work 大家好,昨天我有机会和辛普伦学校的学生交流。我们讨论了编程、信息安全、企业家精神和异步工作。以下是我们在会议期间分享的一些链接,以及一些可以深化我们讨论的主题的附加链接。异步生活: 远程工作之后的下一个前沿 |
2022年5月26日 22:13 | Sylvain Kerkour | How to implement worker pools in Rust Think twice. Worker pools are not a great fit for Rust due to its ownership model. Instead, embrace functional programming and immutable data. Rust provides simpler to use and more elegant tools: parallel Iterators and Streams. Update: Someone (rightfully) pointed out that I didn't really define what my definition of 三思而行。由于其所有权模式,工人池不是一个很适合锈病。相反,应该接受函数式编程和不可变数据。Rust 提供了更简单、更优雅的工具: 并行迭代器和流。更新: 有人(正确地)指出我没有真正定义我的定义 |
2022年5月26日 22:13 | Sylvain Kerkour | Black Hat Rust: July Update Initially planned for July 2021, the book is a little bit off schedule. I could invoke many pretexts such as: 100% of tech projects are off schedule, COVID-19, English is not my native language, or that the weather is terrible (??)... But I won't. The principal reason is simple: I 最初计划在2021年7月出版,但是这本书的出版时间有点落后。我可以找到很多借口,比如: 100% 的科技项目没有按计划进行,2019冠状病毒疾病,英语不是我的母语,或者天气很糟糕但我不会的。主要原因很简单: |
2022年5月26日 22:13 | Sylvain Kerkour | My Rust development workflow (after 2+ years) Rust takes a loooot of time to compile, even with incremental compilation. It's not rare that a small change leads to 2 or 3 minutes of compilation to test the change, which frustrates a lot of new rustaceans. It's a deliberate choice made by the language designers to favor runtime 锈病需要大量的时间来编译,即使是增量编译。很多情况下,一个小小的改变就会导致2到3分钟的编译时间来测试这个改变,这会让很多新的开发者感到沮丧。语言设计者有意地选择支持运行时 |
2022年5月26日 22:13 | Sylvain Kerkour | HTTP Security Headers: The Best Practices Initially used for simple metadata, HTTP headers now play an important role in the vast field that web security is. Setting up HTTP security headers is the quickest, less expensive, and probably the most effective way to secure a web application today. Here is how. But first, you may be HTTP 头最初用于简单的元数据,现在在 web 安全这个庞大的领域中发挥着重要作用。设置 HTTP 安全头文件是目前保护 web 应用程序最快、成本更低、可能也是最有效的方法。以下是如何做到这一点。但首先,你可能是 |
2022年5月26日 22:13 | Sylvain Kerkour | How to deploy Rust on Heroku (with Docker) Due to its unrivaled reliability and performance, Rust is more and more appreciated by companies for web development. And when we talk about web development, Heroku is never far away. So here is the easiest way to deploy a Rust app on Heroku (whether it be a worker or a 由于其无与伦比的可靠性和性能,锈是越来越多的赞赏公司的网络开发。当我们谈到 web 开发时,Heroku 从未离我们远去。因此,这是在 Heroku 上部署 Rust 应用程序的最简单方法(无论是一个 worker 还是一个 |
2022年5月26日 22:12 | Sylvain Kerkour | 15k inserts/s with Rust and SQLite There is this growing sentiment in tech that stacking more and more layers of complexity to reach the sacrosanct "infinite scalability" is not the way forward. First, because it rarely materializes: you need a lot of other things than fancy tech to reach millions of people. Second, because the tradeoffs 科技界越来越多的人认为,为了达到神圣不可侵犯的“无限可扩展性”而将越来越多的复杂层叠起来,并不是前进的方向。首先,因为它很少实现: 你需要很多其他的东西,而不是花哨的技术,以达到数以百万计的人。第二,因为权衡 |
2022年5月26日 22:12 | Sylvain Kerkour | The foobar challenge: Google's secret hiring program Earlier this week, while searching on google for "use after free", a kind of memory vulnerability, I had a surprise: the links on the result page stopped working and this strange message appeared. WTF?? After some (more) googling, I learned that Google is running a kind of secret hiring program 本周早些时候,当我在谷歌上搜索“免费后再使用”(一种内存漏洞)时,我有一个惊喜: 搜索结果页面上的链接停止工作,这条奇怪的消息出现了。卧槽?经过一些(更多)的谷歌搜索,我了解到谷歌正在运行一种秘密的招聘程序 |
2022年5月26日 22:12 | Sylvain Kerkour | A fast port scanner in 100 lines of Rust To write a fast port scanner, a programming language requires: A Good I/O model, not to eat all the resources of the system. High-level abstractions and a good packaging system to isolate low-level code and reuse it easily. To be type and memory safe, because who wants offensive tools with 要编写一个快速端口扫描程序,编程语言需要: 一个好的 i/o 模型,不要吃掉系统的所有资源。高层次的抽象和一个好的封装系统可以隔离低层次的代码并方便地重用它。要注意类型和内存的安全,因为谁想用攻击性工具 |
2022年5月26日 22:12 | Sylvain Kerkour | Overthinking I used to be a pathological overthinker. Everything had to be carefully planned, from the words I would say to the baker to order a baguette to all the insignificant details of any of the projects I worked on. Is it better to tweet at 18:00 or 18:05? Rust or 我曾经是一个病态的过度思考者。所有的事情都必须经过精心策划,从我对面包师说的话到点一个法式长棍面包,再到我所参与的任何项目的所有无关紧要的细节。在18:00还是18:05发推特更好?生锈或 |
2022年5月26日 22:12 | Sylvain Kerkour | How to convert String to Int and Int to String in Rust String to Int To convert a string (or a &str) to an integer in Rust, we can use the parse method: fn main() -> Result<(), Box<dyn std::error::Error>> { // String to int let s1 = String::from("42"); let n1 = s1.parse::<u64>()?; // or let n2: u64 = s1.parse()?; Ok(()) } Int String To Int 要将一个字符串(或 a & str)转换为 Rust 中的整数,我们可以使用解析方法: fn main ()-> Result < () ,Box < dyn std: error: : error > {//String To Int let s1 = String: from (“42”) ; let n1 = s1.< u64 parse > () ?;//或者让 n2: u64 = s1.parse () ?; Ok (())} Int |
2022年5月26日 22:12 | Sylvain Kerkour | How to deal with large Cargo workspaces in Rust I'm a big fan of monoliths, but when Rust projects become larger and larger, we have to use Cargo workspaces. First to benefit from incremental compilation to speed up compile times, second to improve code organization. Then a big problem arises: the declaration of our dependencies is scattered all over 我是一个超级铁匠的粉丝,但是当铁锈项目变得越来越大时,我们必须使用货运工作区。首先要受益于增量编译,以加快编译时间,其次是改善代码组织。然后一个大问题出现了: 我们依赖关系的声明是分散的 |
2022年5月26日 22:12 | Sylvain Kerkour | How to sort a vector in Rust sort The simplest method (no pun intended) to sort a vector in Rust is to use sort. fn main() { let mut v = vec![3, 2, 90, 78, 64, 32, 1, -10, 10, 10000]; v.sort(); println!("{:?}", v); } [-10, 1, 2, 3, 10, 32, 64, 78, 90, 10000] Please note Sort 在 Rust 中,对一个向量进行排序的最简单的方法(不是双关语)是使用 sort。如果你想要的话,你可以使用这个方法![3,2,90,78,64,32,1,-10,10,10000] ; v.sort () ; println!("{:?}"10,1,2,3,10,32,64,78,90,10000请注意 |
2022年5月26日 22:12 | Sylvain Kerkour | Overview of the Rust cryptography ecosystem 37.2% of vulnerabilities in cryptographic libraries are memory safety issues, while only 27.2% are cryptographic issues, according to an empirical Study of Vulnerabilities in Cryptographic Libraries (Jenny Blessing, Michael A. Specter, Daniel J. Weitzner - MIT). I think it's time that we move on from C as the de-facto language 根据一项关于密码库漏洞的实证研究(Jenny Blessing,Michael a. Specter,Daniel j. Weitzner-MIT) ,密码库中37.2% 的漏洞是内存安全问题,只有27.2% 是密码问题。我认为我们是时候从 c 语言转向事实上的语言了 |
2022年5月26日 22:12 | Sylvain Kerkour | Bullshit jobs Imagine having a job so pointless or unnecessary that you can't understand how a person in their right mind could pay you to do it. My current job title is Portfolio Coordinator, and everyone always asks what that means, or what it is I actually do? I have no idea. 想象一下,有一份毫无意义或者没有必要的工作,以至于你无法理解一个头脑正常的人怎么会付钱给你去做。我现在的职位是投资组合协调员,每个人都会问这是什么意思,或者我到底是做什么的?我不知道。 |
2022年5月26日 22:12 | Sylvain Kerkour | How to import a crate from git in Rust Importing a crate from git is as simple as adding the following line in your Cargo.toml file: [dependencies] ring = { git = "https://github.com/briansmith/ring", version = "0.12" } # or ring = { git = "https://github.com/briansmith/ring", branch = "main" } 从 git 导入板条箱非常简单,只需在 Cargo.toml 文件中添加以下行: [ dependencies ] ring = { git = “ https://github.com/briansmith/ring”,version = “0.12”} # or ring = { git = “ https://github.com/briansmith/ring”,branch = “ main”} |
2022年5月26日 22:12 | Sylvain Kerkour | Smart pointers: The secret to write clean Rust code Lifetime annotations are one of the things that distract the most new rustaceans. From my experience writing and digging into Rust codebases, lifetime (annotations) induce a cognitive load that distracts from getting the actual work done. They not only make your code harder to read but also harder to use, 生命周期注释是分散大多数新兴学者注意力的因素之一。根据我的写作经验和深入研究 Rust codebase 的经验,生命周期(注释)会导致一种认知负荷,分散了人们对实际工作的注意力。它们不仅使你的代码更难阅读,而且更难使用, |
2022年5月26日 22:12 | Sylvain Kerkour | Framing: the foundations of persuasion Have you ever felt not being heard? Whether it be in a diner with friends, while presenting a project in a meeting, or when pitching your new startup to an investor? So you start optimizing for the wrong things, tweaking the irrelevant details. A little bit more of blue here, 你有没有觉得自己没有被倾听过?无论是和朋友一起吃饭,在会议上介绍项目,还是向投资者推销你的新创业公司?所以你开始为错误的事情优化,调整不相关的细节。这里多一点蓝色, |
2022年5月26日 22:12 | Sylvain Kerkour | How to build a job queue with Rust and PostgreSQL (or in any other language such as Go, Node.js or python) Job queues are a central piece of any web application. It enables background jobs, buffering to handle surges in traffic, async messaging, batching and many other great things. Thus, this is all natural that many vendors are offering various 作业队列是任何 web 应用程序的核心部分。它支持后台作业、缓冲以处理通信、异步消息传递、批处理和许多其他重要事情。因此,这是很自然的,许多供应商提供各种各样的 |
2022年5月26日 22:12 | Sylvain Kerkour | Why Rust for offensive security Imagine: all the tanks of your army are made of cardboard. Now imagine that not only your tanks but also all your airforce is composed of paper planes and your navy of paper vessels. It would be a pretty bad situation, don't you think? While it sounds absurd, this is 想象一下: 你的军队所有的坦克都是硬纸板做的。现在想象一下,不仅你的坦克,而且你所有的空军部队都是由纸飞机和纸船组成的海军。情况会很糟糕,你不觉得吗?虽然这听起来很荒谬,但事实却是如此 |
2022年5月26日 22:12 | Sylvain Kerkour | How to Write and Compile Shellcode in Rust A few months ago, we saw how to execute a shellcode from memory in Rust. What if we could write the actual shellcode in Rust? Writing shellcodes is usually done directly in assembly. It gives you absolute control over what you are crafting, however, it comes with many, many drawbacks: 几个月前,我们在 Rust 中看到了如何从内存执行 shell 代码。如果我们能在 Rust 中写出真正的贝壳代码呢?编写 shell 代码通常直接在装配中完成。它让你完全控制你正在制作的东西,然而,它也有很多很多的缺点: |
2022年5月26日 22:12 | Sylvain Kerkour | How to implement HTTP Long Polling in Rust We will use the new web framework developed by tokio's team: axum. Its performance and simplicity are unparalleled in the Rust world. Also, please note that porting this code to another web framework is easy. We will implement a simple chat server, as chat is the textbook application that benefits 我们将使用东京团队开发的新的 web 框架: axum。它的性能和简单性是无与伦比的锈世界。另外,请注意,移植这个代码到另一个 web 框架是容易的。我们将实现一个简单的聊天服务器,因为聊天是教科书应用程序的好处 |
2022年5月26日 22:12 | Sylvain Kerkour | Engineer vs Entrepreneur Mindset I write code since 2013 and started my entrepreneurship journey in 2017. That gave me plenty of time to observe a recurring pattern: Engineers love to get it right. Entrepreneurs love to get it done. It materializes in a lot of ways, here are the most striking examples: Engineers have 我从2013年开始编写代码,并在2017年开始了我的创业之旅。这给了我足够的时间去观察一个循环模式: 工程师喜欢把它做对。企业家喜欢把事情做完。它以很多方式实现,这里有一些最显著的例子: 工程师 |
2022年5月26日 22:12 | Sylvain Kerkour | How to implement HTTP Long Polling in Go We will implement a simple chat server, as chat is the textbook application that benefits the most from long polling. There are 3 tricks to make this implementation efficient, so stay attentive ;) The Chat Service The Chat Service is an object that encapsulates all our business logic. To keep 我们将实现一个简单的聊天服务器,因为聊天是教科书应用程序,最受益于长轮询。有3个技巧可以使这个实现更有效率,所以要保持专注;)聊天服务聊天服务是一个封装我们所有业务逻辑的对象。保持 |
2022年5月26日 22:12 | Sylvain Kerkour | How to install Ubuntu Server on a Raspberry Pi 4 I just got my hands on Raspberry Pi 4. As I wanted to install a 64 bit Operating System, Ubuntu seemed to be the best choice. Unfortunately, the official tutorial on installing Ubuntu Server 21.04 on a Raspberry Pi didn't work for me, so here is how I proceeded. Flashing 我刚买了树莓派4。因为我想安装一个64位的操作系统,Ubuntu 似乎是最好的选择。不幸的是,在 Raspberry Pi 上安装 Ubuntu Server 21.04的官方教程并不适合我,下面是我的进展。闪光 |
2022年5月26日 22:12 | Sylvain Kerkour | How to compile Rust and LLVM for ESP32 on a Raspberry Pi (aarch64) ESP32 is a series of microcontrollers that has the particularity to have both integrated Bluetooth and Wi-Fi. It makes it the perfect microcontroller when you need low-power, networked, and smart hardware that doesn't require an OS. I had to run compile and run Rust code on an ESP32. Unfortunately, they Esp32是一系列具有集成蓝牙和 Wi-Fi 特殊性的微控制器。它使它成为完美的微控制器时,你需要低功耗,网络,和智能硬件,不需要一个操作系统。我必须运行编译和运行在一个 esp32锈代码。不幸的是,他们 |
2022年5月26日 22:12 | Sylvain Kerkour | Rust on ESP32 I recently got my hands on an ESP32 microcontroller for hacking purpose and successfully ran Rust code on it 🦀 Installing the tools First, you need to download and install the prebuilt binaries of the Rust and LLVM compiler forks by Espressif or follow yesterday's guide about how to compile 我最近得到了一个用于黑客目的的 esp32微控制器,并成功地在上面运行了 Rust 代码 |
2022年5月26日 22:12 | Sylvain Kerkour | Freedom: the core value of hackers Most people enjoy the feeling of being free. But, How free are we really? I'm not talking about free will and all that stuff, I'm simply talking about who we have to ask before being able to do something, anything. Can you build a house on any plot of land 大多数人喜欢自由的感觉。但是,我们到底有多自由?我不是在谈论自由意志和所有的东西,我只是在谈论我们在能够做一些事情,任何事情之前必须问谁。你能在任何一块土地上建造一座房子吗 |
2022年5月26日 22:12 | Sylvain Kerkour | Reproducible cross-compilation for Rust (with Docker) Error: Toolchain / Library XX not found. Aborting compilation. How many times did you get this kind of message when trying to follow the build instructions of a project, or cross compile it? This problem can be solved with immutable toolchains and reproductible build environements. All of that powered by 错误: 找不到工具链/库 XX。终止编译。在试图遵循项目的构建说明或交叉编译时,您收到过多少次这种消息?这个问题可以通过不可变的工具链和可重复的构建环境来解决。所有这些都是由 |
2022年5月26日 22:12 | Sylvain Kerkour | Building a static site generator in 100 lines of Rust And by that, I mean exactly 100 lines (excluding templates), with hot reload and an embedded web server 😃 Conceptually, a static site generator is straightforward. It takes some files as input, often markdown, render them, merge them with pre-defined templates, and output everything as raw HTML files. Simple, basic. 这里,我的意思是100行(不包括模板) ,从概念上讲,使用热重载和嵌入式 web 服务器,静态站点生成器是简单的。它接受一些文件作为输入,通常是标记,呈现它们,将它们与预定义的模板合并,并以原始 HTML 文件的形式输出所有内容。简单,基本。 |
2022年5月26日 22:12 | Sylvain Kerkour | Fighting the Environmental Apocalypse as a technologist "Quitting smoking is too hard, I will never succeed". You may already have heard this kind of affirmation from someone who doesn't have the courage to stop tobacco. Of course they will quit smoking, on the latest the day of their life in the worst case. And, unfortunately, the more “戒烟太难了,我永远不会成功”。你可能已经从一个没有勇气戒烟的人那里听到过这种肯定。他们当然会戒烟,最晚在他们生命中最糟糕的一天。而且,不幸的是,更多的 |
2022年5月26日 22:12 | Sylvain Kerkour | Black Hat Rust October Update (now in Beta 🍾) Just kidding, after a short pause of deep work and flu recovery, I'm extremely happy to announce that Black Hat Rust is reaching completion and that I just uploaded the version 2021.21 🍾 100% of the code is available on GitHub ~90% of the words are available (355+ pages) All 开个玩笑,经过短暂的深入工作和流感恢复,我非常高兴地宣布黑帽锈病即将完成,我刚刚上传了2021.21100% 的代码在 GitHub 上可用 -- 90% 的文字可用(355页以上) |
2022年5月26日 22:12 | Sylvain Kerkour | The foundations of modern end-to-end encryption: Signatures Now that most of our communications are digital, a problem arises: How to keep our messages private despite all the intermediaries? Internet Service Providers (ISPs) and Service providers (Facebook, Telegram, Line, WeChat...) are all in a position of Man-In-The-Middle (MITM) and are able to inspect, record, and even modify our 现在我们的大部分通信都是数字化的,问题出现了: 如何保持我们的信息的私密性,尽管有这么多的中间人?互联网服务提供商(isp)和服务提供商(Facebook,Telegram,Line,WeChat...)都处于中间人的地位,他们能够检查,记录,甚至修改我们的 |
2022年5月26日 22:12 | Sylvain Kerkour | Default environment variables in Rust Rust does not provide a built-in way to set a default environment variable. Yet, it's easy to achieve with the unwrap_or combinator. fn main() { let port = std::env::var("PORT").unwrap_or("8080".to_string()); } Alternatively, you can define a function that sets a default env value if none is set. fn set_default_env_var(key: &str, value: Rust 没有提供一种内置的方式来设置默认的环境变量。然而,使用 unwrap 或者 combinator 很容易实现。Fn main (){ let PORT = std: env: : var (“ PORT”)。Unwrap _ or (“8080”)。或者,您可以定义一个函数来设置默认的 env 值,如果没有设置的话。设置 _ default _ env _ var (key: & str,value: |
2022年5月26日 22:12 | Sylvain Kerkour | Benchmarking symmetric encryption (AEAD) in Rust As we saw last week, when performing symmetric encryption you should use Authenticated Encryption with Additional Data (AEAD) which provides stronger guarantees than block ciphers. The main contenders for authenticated encryption in Rust (and in general) are: RustCrypto's XChaCha20-Poly1305 RustCrypto's ChaCha20-Poly1305 RustCrypto's AES-256-GCM ring's ChaCha20-Poly1305 ring's AES-256-GCM As we saw 正如我们上周所看到的,在执行对称加密时,您应该使用带附加数据的认证加密(Authenticated Encryption with Additional Data,AEAD) ,它比块密码提供更强的保证。主要的竞争者认证加密的锈(和一般) : RustCrypto 的 xcha20-poly1305 RustCrypto 的 ChaCha20-Poly1305 RustCrypto 的 AES-256-GCM 环的 chacha20-poly1305环的 AES-256-GCM 如我们所见 |
2022年5月26日 22:12 | Sylvain Kerkour | Hacking Stories #1 - The Evil Twin {{< hacking_stories_disclaimer >}} James is a Computer Science student like many others: brilliant, but a little bit shy, especially with girls. The fact that there are only 3 girls for 25 boys in his class doesn't help. Among these 3 girls, there is Mary. Black hair. Deep and dark eyes. {黑客故事免责声明}詹姆斯和其他许多人一样是计算机科学专业的学生: 很聪明,但有点害羞,尤其是对女孩子。他班上25个男生中只有3个女生,这个事实并没有帮助。在这三个女孩中,有一个叫玛丽。黑头发。深邃而黑暗的眼睛。 |
2022年5月26日 22:12 | Sylvain Kerkour | Converting an Enum to a String in Rust The easiest way to convert an enum to a String in Rust is to implement the std::fmt::Display trait. #[derive(Debug, Clone, Copy)] enum Platform { Linux, MacOS, Windows, Unknown, } impl fmt::Display for Platform { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { match self { Platform::Linux => write!(f, "Linux"), Platform::Macos Rust 中将枚举转换为 String 的最简单方法是实现 std: : fmt: : Display trait。[ derive (Debug,Clone,Copy)] enum Platform { Linux,MacOS,Windows,Unknown,} impl fmt: : Display for Platform { fn fmt (& self,f: & mut fmt: : Formatter)-> fmt: : Result { match self { Platform: Linux = > write!(f,“ Linux”) ,平台: : Macos |
2022年5月26日 22:12 | Sylvain Kerkour | Backdooring Rust crates for fun and profit Supply chains attacks are all the rage these days, whether to deliver RATs, cryptocurrencies miners, or credential stealers. In Rust, packages are called crates and are (most of the time) hosted on a central repository: https://crates.io for better discoverability. We are going to study 8 techniques to achieve Remote Code 供应链攻击如今风靡一时,不管是为了运送老鼠,加密货币挖掘者,还是为了偷取别人的证书。在 Rust 中,软件包被称为板条箱,并且(大多数时候)托管在一个中央存储库上: 为了更好的发现性,可以使用 https://crates.io。我们将学习8种实现远程代码的技术 |
2022年5月26日 22:11 | Sylvain Kerkour | Position Independent Shellcodes in Rust (PIC) Shellcoding in Rust We previously saw how to craft an HelloWorld shellcode in Rust. This time, we are going to create a shellcode that... actually launches a shell, using the execve syscall. A C equivalent would be something like: #include <unistd.h> int main() { char *args[2]; args[0] = "/bin/sh"; args[1] 我们以前在 Rust 上看到过如何制作 HelloWorld 的贝壳。这一次,我们将创建一个 shell 代码,它实际上使用 execve 系统调用启动一个 shell。一个 c 等价物应该是: # include < unistd.h > int main (){ char * args [2] ; args [0] =”/bin/sh”; args [1] |
2022年5月26日 22:11 | Sylvain Kerkour | Black Hat Week (Black Hat Rust is out 🍾) Black Hat Rust is out of beta :) v2021.40 It's now official, as of v2021.40, Black Hat Rust is considered out of beta and complete! Hundreds of typos have been corrected, layout issues have been fixed, and there is no more "coming soon" remaining. I've also added a few tips 黑帽锈病已经过了 beta 测试期:) v2021.40现在官方正式宣布,截至 v2021.40,黑帽锈病被认为已经过了 beta 测试期并且完成了!数以百计的拼写错误已经被纠正,布局问题已经被修正,并且没有更多的“即将到来”剩余。我还增加了一些建议 |
2022年5月26日 22:11 | Sylvain Kerkour | The tools and services I used to write, edit and self-publish my book Last week, I officially announced that my Book Black Hat Rust is out 🍾 Since, I received a few questions about the tools and services I used to self-publish it, so here is my end-of-the-year gift 🎁 to you: A detailed write-up of all the tools, services, and scripts I've 上周,我正式宣布我的《黑帽锈病》出版了。因为,我收到了一些关于我自行出版的工具和服务的问题,所以这是我年终给你的礼物: 一份我所有工具、服务和脚本的详细报告 |
2022年5月26日 22:11 | Sylvain Kerkour | How to encrypt a file in Rust (Using streaming AEAD encryption) Choosing the right encryption algorithm When you want to encrypt data, you may face a problem: how to encrypt files or data streams that don't fit in memory? You could simply split them into small chunks and encrypt each fragment individually. Unfortunately, it's not that simple. An attacker could modify 选择正确的加密算法当你想加密数据时,你可能会遇到一个问题: 如何加密内存中不适合的文件或数据流?您可以简单地将它们分割成小块,然后单独地对每个片段进行加密。不幸的是,事情并没有那么简单。攻击者可以修改 |
2022年5月26日 22:11 | Sylvain Kerkour | 4 ways to read a file in Rust Read the entire file as a String fn read_file_string(filepath: &str) -> Result<String, Box<dyn std::error::Error>> { let data = fs::read_to_string(filepath)?; Ok(data) } Read the entire file as a Vector fn read_file_vec(filepath: &str) -> Result<Vec<u8>, Box<dyn std::error::Error>> { let data = fs::read(filepath)?; Ok(data) } Read a text file line by line fn 将整个文件作为一个 String fn Read _ file _ String (filepath: & str)-> Result < String,Box < dyn std: : error: error > { let data = fs: Read _ to _ String (filepath) ?将整个文件作为 Vector fn Read _ file _ Vec (filepath: & str)-> Result < Vec < u8 > ,Box < dyn std: : error: error > { let data = fs: : Read (filepath) ?一行一行地读取一个文本文件 fn |
2022年5月26日 22:11 | Sylvain Kerkour | Hacking Stories #2 - The virus that came in from the cold {{< hacking_stories_disclaimer >}} Sarah was already in a bad mood this morning: her father died at the beginning of the month. So, when her boss, Mike, convened her in his office, she knew that her troubles were not at an end. Sarah is a very talented developer working in a {黑客故事免责声明}莎拉今天早上已经心情不好: 她的父亲在月初去世了。所以,当她的老板迈克把她召集到他的办公室时,她知道她的麻烦还没有结束。是一个非常有天赋的开发人员,在一个 |
2022年5月26日 22:11 | Sylvain Kerkour | You can now buy Black Hat Rust with PayPal, Apple Pay & Google Pay I’m happy to announce that you can now purchase Black Hat Rust with PayPal, Apple Pay and Google Pay thanks to Paddle which handles invoicing with VAT (if applicable) 🎉 Go here to buy Black Hat Rust with any of these payment methods: https://kerkour.com/black-hat-rust 🔔 Because it took a very 我很高兴地宣布,您现在可以购买黑帽锈病与贝宝,苹果支付和谷歌支付感谢桨处理与增值税发票(如果适用)到这里购买黑帽锈病与任何这些付款方式: https://kerkour.com/Black-Hat-Rust 因为它花了非常 |
2022年5月26日 22:11 | Sylvain Kerkour | Secure and immutable development environments with Dev Containers "But, it works on my machine" "If I install this NPM package, is it going to rm -rf / or infect me with a cryptominner?" "I spent the whole day trying to install $DATABASE on my laptop but it still doesn't work!" As we saw 2 months ago, supply chain “但是,它在我的机器上工作”“如果我安装了这个 NPM 包,它会被 rm-rf/感染还是被一个隐藏内核感染?”“我花了一整天的时间试图在我的笔记本电脑上安装 $DATABASE,但它仍然不能工作!”正如我们两个月前看到的,供应链 |
2022年5月26日 22:11 | Sylvain Kerkour | How to securely encrypt a file with an insecure password in Rust (using Streaming Encryption + Argon2) Last month we saw how to encrypt large files that don't fit in memory using a streaming cipher. The article presupposes that you already have a secure key generation mechanism. Today, we are going to see how to securely encrypt data using a cryptographically insecure password. Passwords can't be used 上个月,我们学习了如何使用流密码加密内存中容纳不下的大文件。本文假定您已经有了一个安全的密钥生成机制。今天,我们将看到如何使用加密的不安全密码安全地加密数据。密码不能使用 |
2022年5月26日 22:11 | Sylvain Kerkour | CSRF vulnerabilities: How to exploit and how to defend The past few weeks I implemented an API that relies on Cookies for authentication. When working with Cookies you should always be extremely careful not to introduce CSRF vulnerabilities. Usually, I build APIs using a specific Authentication HTTP header which completely removes the risk of CSRF (more on that below). 在过去的几周里,我实现了一个依赖 Cookies 进行身份验证的 API。在使用 Cookies 时,你应该非常小心,不要引入 CSRF 漏洞。通常,我使用一个特定的身份验证 HTTP 头来构建 api,这完全消除了 CSRF 的风险(下面将详细介绍)。 |
2022年5月26日 22:11 | Sylvain Kerkour | Async Rust: Cooperative vs Preemptive scheduling This post contains excerpts of my book Black Hat Rust Threads were designed to parallelize compute-intensive tasks. However, these days, a lot of applications (such as a network scanner) are I/O (Input / Output) intensive. Thus, threads have two significant problems: They use a lot of memory (compared to others 这篇文章包含了我的书《黑帽锈线程》的一些节选,这本书的目的就是为了并行处理计算密集型任务。然而,现在很多应用程序(比如网络扫描程序)都需要输入/输出(i/o)。因此,线程有两个重要的问题: 它们使用了大量的内存(与其他线程相比) |
2022年5月26日 22:11 | Sylvain Kerkour | Clean and Scalable Architecture for Web Applications in Rust This post contains excerpts of my book Black Hat Rust There are many architectural patterns to design web applications. A famous one is the "Clean Architecture" by Robert C. Martin This architecture splits projects into different layers in order to produce systems that are Independent of Frameworks. The architecture does 这篇文章包含了我的书《黑帽锈病》的摘录设计网络应用程序有许多架构模式。一个著名的例子是 Robert c. Martin 的“清洁架构”(Clean Architecture)。这种架构将项目分成不同的层,以便产生独立于框架的系统。架构是这样的 |
2022年5月26日 22:11 | Sylvain Kerkour | Async Rust: What is a runtime? Here is how tokio works under the hood This post contains excerpts of my book Black Hat Rust Last week, we saw the difference between Cooperative and Preemptive scheduling and how it enables resources-efficient I/O operations. Today, we are going to learn how runtimes work under the hood. Rust does not provide the execution context required to execute 这篇文章包含了我的书 Black Hat Rust 的摘录上周,我们看到了合作式和先发制人式调度的区别,以及它如何实现资源高效的 i/o 操作。今天,我们将学习如何在引擎盖下运行时工作。Rust 没有提供执行所需的执行上下文 |
2022年5月26日 22:11 | Sylvain Kerkour | The 9 indispensable features to learn for the new Rust programmer Rust is a rather large and complex programming language with a lot of features. But I have good news: less than 20% of the features will bring you more than 80% of the results. Here are the features I consider indispensable to learn when you are starting Rust. Ready to Rust 是一种非常庞大和复杂的编程语言,具有许多特性。但是我有个好消息: 只有不到20% 的功能会给你带来超过80% 的搜索结果。当你开始生锈时,这里有一些我认为必不可少的功能。准备好了 |
2022年5月26日 22:11 | Sylvain Kerkour | Entropy is Fatal Like a lot of people, I used to be a pathological maximalist. A phone with more features is necessarily better, a company with more people is better, a program with more lines of code is better, a house with more stuff is better. Until the day when reality hit me 像很多人一样,我曾经是一个病态的极端主义者。拥有更多功能的手机必然更好,拥有更多人的公司更好,拥有更多代码行的程序更好,拥有更多东西的房子更好。直到有一天现实打击了我 |
2022年5月26日 22:11 | Sylvain Kerkour | The simplest guide to error handling in Rust Rust is loved for its reliability, and a good chunk of its reliability comes from its error handling ergonomics. I know that there already are a few guides about error handling in Rust, but I found these guides to be too long and not straight to the point. So here 锈是喜欢其可靠性,其可靠性很大一块来自其错误处理人体工程学。我知道在 Rust 中已经有一些关于错误处理的指南,但是我发现这些指南太长而且不直截了当。所以这里 |
2022年5月26日 22:11 | Sylvain Kerkour | The foundations of end-to-end encryption: Domain separation (with code example in Rust) This post is part 2 of the series: The foundations of end-to-end encryption and contains excerpts from my book Black Hat Rust about Security, Rust and Cryptography. Building an end-to-end encrypted service Let's say we want to build a service using end-to-end encryption to secure our users' data, a hosted 这篇文章是这个系列的第二部分: 端对端加密的基础,包含了我的书《黑帽锈病: 安全、锈病和密码学》的节选。构建端到端的加密服务假设我们想要构建一个使用端对端加密服务来保护用户数据的服务 |
2022年5月26日 22:11 | Sylvain Kerkour | Background jobs in Rust Recurrent jobs For recurrent jobs (a.k.a. CRON jobs), I personnaly use the lightspeed_scheduler crate. let job = Job::new("kernel", "dispatch_delete_old_data", Some(3), move || { let kernel_service_inner = kernel_service.clone(); Box::pin(async move { kernel_service_inner.dispatch_delete_old_data().await?; Ok(()) }) }); scheduler .add_job_with_scheduler( "* 0 4 * * *" .to_scheduler() .expect("scheduler.run: parsing kernel.delete_old_data cron expression"), job, ) 周期性作业对于周期性作业(又名 CRON 作业) ,我个人使用 lightspeed _ 调度器箱。Let Job = Job: : new (“ kernel”,dispatch _ delete _ old _ data”,Some (3) ,move | | { let kernel _ service _ inner = kernel _ service。克隆() ; Box: : pin (async move { kernel _ service _ inner。Dispatch _ delete _ old _ data ().等待?; Ok (())})}) ; scheduler.添加 _ job _ with _ scheduler (”* 04 * *”)。到 _ scheduler ()。Expect (“ scheduler. run: parsing kernel.delete _ old _ data cron expression”) ,job,) |
2022年5月26日 22:11 | Sylvain Kerkour | Which Rust web framework to choose in 2022 (with code examples) Table of contents The frameworks Performance Ecosystem and Community JSON deserialization Routing Middleware State Conclusion Want to learn Rust, Cybersecurity and Cryptography? Get my book Black Hat Rust! The frameworks as of February 2022 crate Version Total Downloads Description actix-web 4.0.0-rc.3 5,134,720 Actix Web is a powerful, pragmatic, and extremely 框架性能生态系统和社区 JSON 反序列化路由中间件国家结论想学习锈,网络安全和密码学?把我的书《黑帽锈病》拿来!截至2022年2月的框架版本总下载描述 activex-Web 4.0.0-rc. 35,134,720 activex Web 是一个强大的,实用的,非常 |
2022年5月26日 22:11 | Sylvain Kerkour | Alignment: What Buddhism can teach us about success What is your definition of success? The answers to this question are almost universally the same: Having a lot of money Having a lot of sex partners Having a high social status And these answers are universally wrong. They are the default answers, dictated by universal metrics, which are the 你对成功的定义是什么?这个问题的答案几乎都是一样的: 有很多钱有很多性伴侣有很高的社会地位这些答案都是错误的。它们是默认的答案,由通用度量标准决定,它们是 |
2022年5月26日 22:11 | Sylvain Kerkour | Black Hat Rust Cyberwar Discount World is in turmoil. While we obviously can't predict what is going to happen in the physical world, one thing is sure: Cyberwar will intensify a lot in the coming weeks / months. This is why I decided to offer a big discount on my book Black Hat Rust. The 世界一片混乱。虽然我们显然无法预测现实世界将会发生什么,但有一件事是肯定的: 未来几周/几个月,网络战将会加剧。这就是为什么我决定为我的书《黑帽锈病》提供一个很大的折扣。这个 |