Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
Get a devDuck
Rubber duck debugging has never been so cute! Get your favorite coding language devDuckBuy Now
Search - ""encryption""
What's wrong with WannaCry? All it does is secure you're system by encrypting your files for you.14
When I was in my second semester of college I was tasked with creating a file encrypt/decrypt program. Take in normal textfiles and spit out a new random text and symbols file. I worked on it for two weeks and read up on all different encryption types and stuff. I was so excited when it was done. After it was done compiling I tried it out on its own source code. Encrypto.c and named the output file Encrypto.c 😰 The next thing I did was google " best version control and how to use it."17
Had three servers running in prod. For extra security all of them were encrypted (hdd encryption) just in case.
"mate, servers need a quick reboot, that alright?"
Me: yeah sure!
"oh hey they're encrypted, what's the password?"
Yeah, i also forgot to turn on the backup process...17
I was once working on a project that dealt with incredibly sensitive financial data.
We needed a client’s database to do a migration.
They wouldn’t send it over the internet because it was too big and they didn’t think it would be secure.
They opt to send it in the post on an encrypted usb drive.
(Fair enough thinks I)
USB drive arrives.
Is indeed encrypted.
MFW there’s a post it note in the envelope with the password on.
MFW this is a billion dollar multinational petrochem company.
MFW this same company’s ‘sysadmin’ and ‘dba’ once complained because a SQL script I sent them didn’t work - they’d pasted it twice and couldn’t work this out from the fucking “table already created” error message management studio was throwing at them.3
Fixing family / friends technical problems, episode 2.
Problem: "I lost my iPhone, I know there's a thing that lets you find it. Can you help?"
Me: sure, it's called "find my iPhone"
Friend: ah yes that's it. How do I use it?
Me: I'll show you, just login here and ... oh you didn't set it up?
Friend: Probably not, I don't know much about this computer stuff.
Me: ... when you setup your phone for the first time, it's a full screen thing that says "do you want us to locate your phone if it's lost. Yes / No". It's hardly writing an encryption algorithm now is it?
Friend: no it's not, but still I just didn't know. I probably clicked no for everything.
Me: ... says here you clicked yes for iCould ... and yes for photo sync ... so you read the one about your pictures but not about lost or stolen property ... nice.
Friend: ... so you can't find it then.
Me: No, natural selection took it away from you.
Friend: oh **** off.8
*me, coding at a pub*
*random dude walks up to me*
He: "what are you doing? Programming? What?"
Me: "yup. That's a horizontally and vertically scalable webservice, that's using amqp, rest APIs and encryption to schedule starting, stopping and autoscaling of a total of 90 heroku applications. This webinterface *showing* allows you to trigger starts and stops manually and monitor all processes."
He: "oh, so you are programming a Website? In HTML?"
Me: "euhm........ Yes."
I understand this dude had probably no clue what I was talking about.. Yet I am angry at him. Reducing more than 12k loc to HTML... Go fuck yourself.23
Me: "I'm a programmer"
Others: talks about linux
Others: search algorithms!
Others: service infrastructure
Others: memory optimization
Me: "I'm a front end web developer"
Others: complex services
Others: strong user form validation
Others: lazy loading
Me: "fucking, I make shit look pretty alright"11
"could you please just use the standard messaging/social networking thingies? That way it'll be way easier to communicate!!"
Oh I don't mind using standard tools/services which everyone uses at all.
Just a few requirement: they don't save information that doesn't need to be saved, leave the users in control of their data (through end to end encryption for example) and aren't integrated in mass surveillance networks.
Aaaaaand all the standard options which everyone uses are gone 😩36
"Your public key is a lot like a Jayden Smith tweet, it turns content into confusing, meaningless garbage before sending it out to the internet"
We've password protected a file and forgot the password we need it cracking asap.
Sorry we can't crack passwords on files.
If we don't get access to the file it'll cost the company up to 250k.
Well you should've thought about that before encrypting the fucking file with 256 bit encryption.10
Working with a radio chip we selected because it had built-in encryption. Cannot make the encryption work, thus in contact with the manufacturer:
"- I cannot make the encryption work, it's like the chip doesn't want to take a key.
- which key do you use?
- does it matter?
- well yes, you can't just use any key!
- why not?
- you need to get an approved key from us.
- why is that?
- so that your competitors can't read your data!
- so the way to get working keys is to get them from you?
- of course!
- keys are 256 bits. Can we potentially use all of them?
- OF COURSE NOT!
- how many can we get from you?
- one! We reserve it from your company.
- are you telling me that all units within a company will need to have the exact same encryption key?
- so anyone with our product could eavesdrop another same product?
- well yes, but it's all within your own products.
- that's not how encryption is supposed to work.
- but it's safe, your competitors cannot eavesdrop!
- I'm out of here."
(We finally found a satisfactory work-around, but i am still pissed at them)11
A US senator or judge or whatever his title is said today that he wants companies/governments to build a 'responsible encryption' system.
Preferably that would exist out of a big ass database which stores the private keys of citizens so in case a person loses their private key or the government needs access to encrypted content, that is possible.
NOO, WHAT COULD FUCKING POSSIBLY GO WRONG!?!?!
Seriously those kind of people should not be allowed to have the kind of positions they have.
This shit makes me so angry.50
So the new mass surveillance law will be going into effect from the 1st of January.
Of course, since I'm very keen on my security/privacy, I'm going to implement some precautions.
- A few vps's connecting to tor, i2p and VPN provider so that I can always use a secure connection.
- Setup anti tracker/ads/etc etc shit on the VPS's. Probably through DnsMasq and the hosts file.
- Use Tor browser by default. I've tried this for a while now and damn, the tor network has become way faster than only even a year ago! Some pages literally only take a few seconds to load.
- Wipe my laptop, encrypt the harddrive and at least put QubesOS on it together with probably a few other systems.
- Ungoogle my new phone, use it with VPN by default.
- Get rid of all non encrypted communication services. I think that only leaves me with a few account removals because I haven't chatted unencrypted for nearly a fucking year now.
If anyone has any more ideas, please share!45
This is super childish but it's the gameserver insidstry and karma is a bitch.
TLDR: I hacked my boss
I was working for a gameserver and I did development for about 3 months and was promised pay after the network was released. I followed through with a bunch of dev friends and the guy ended up selling our work. He didn't know that I was aware of this as he tried to tell people to not tell us but one honest person came forward and said he sold our work for about 8x the price of what he owed ALL OF US collectively.
I proceeded to change the server password and when he asked why he couldn't log in I sent him an executable (a crypted remote access tool) and told him it was an "encryption tunnel" that makes ssh and file transfers secure. Being the idiot that he is he opened it and I snagged all of his passwords including his email and I changed them through a proxy on his machine to ensure I wouldn't get two factored with Google. After I was done I deleted system 32 :338
We're using a ticket system at work that a local company wrote specifically for IT-support companies. It's missing so many (to us) essential features that they flat out ignored the feature requests for. I started dissecting their front-end code to find ways to get the site to do what we want and find a lot of ugly code.
So i dig farther and farthee adding all the features we want into a userscript with a beat little 'custom namespace' i make pretty good progress until i find a site that does asynchronous loading of its subpages all of a sudden. They never do that anywhere else. Injecting code into the overcomolicated jQuery mess that they call code is impossible to me, so i track changes via a mutationObserver (awesome stuff for userscripts, never heard of it before) and get that running too.
The userscript got such a volume of functions in such a short time that my boss even used it to demonstrate to them what we want and asked them why they couldn't do it in a reasonable timeframe.
All in all I'm pretty proud if the script, but i hate that software companies that write such a mess of code in different coding styles all over the place even get a foot into the door.
And that's just the code part: They very veeeery often just break stuff in updates that then require multiple hotfixes throughout the day after we complain about it. These errors even go so far to break functionality completely or just throw 500s in our face. It really gives you the impression that they are not testing that thing at all.
And the worst: They actively encourage their trainees to write as much code as possible to get paid more than their contract says, so of course they just break stuff all the time to write as much as possible.
Where did i get that information you ask? They state it on ther fucking career page!
We also have reverse proxy in front of that page that manages the HTTPS encryption and Let's Encrypt renewal. Guess what: They internally check if the certificate on the machine is valid and the system refuses to work if it isn't. How do you upload a certificate to the system you asked? You don't! You have to mail it to them for them to SSH into the system and install it manually. When will that be possible you ask? SOON™.
At least after a while i got them to just disable the 'feature'.
While we are at 'features' (sorry for the bad structure): They have this genius 'smart redirect' feature that is supposed to throw you right back where you were once you're done editing something. Brilliant idea, how do they do it? Using a callback libk like everyone else? Noooo. A serverside database entry that only gets correctly updated half of the time. So while multitasking in multiple tabs because the performance of that thing almost forces you to makes it a whole lot worse you are not protected from it if you don't. Example: you did work on ticket A and save that. You get redirected to ticket B you worked on this morning even though its fucking 5 o' clock in the evening. So of course you get confused over wherever you selected the right ticket to begin with. So you have to check that almost everytime.
Alright, rant over.
Let's see if i beed to make another one after their big 'all feature requests on hold, UI redesign, everything will be fixed and much better'-update.5
Manager: "The password must be encrypted to store it inside the database."
Me: "Great! No problem."
Manager: "Then it must have a copy of the unencrypted password to send it by email."
(The exact opposite of a rant, yay)
My school gave everyone in my class (and the two other 10th-grade CS classes) these neat 64GB USB sticks.
They are our property (paid by our fee every student has to pay every year so the school can afford paper for the printers, school books, and other materials such as USB sticks for 10th graders), but we have to keep some files for a lesson on the root of the USB (currently ~900MB).
That's not an issue, personal files go in my _Personal folder anyway.
Of course, I wanted to VeraCrypt all my USB drives I use at school, but since I don't have admin rights at our school and they use Windows 10, I just used BitLocker. Good enough, the only thing I want to achieve with encryption is other students being unable to read data off a lost drive (such as my _Personal data)
Also this stick is hella fast even with BitLocker enabled, 200 MB/s (minus 13 MB/s with enabled BitLocker) sequential r/w speed according to CrystalDiskMark.34
Got some good news today, Australia's PM (Malcolm Turnbull) doesn't want a backdoor in encryption! All he just wants is "support" from companies to "access" their users encrypted data.
See the difference?
I don't 😒14
Citizens are advised not to use encryption as decrypting data takes too much time and is costly.
Please spread awareness and save money.
Thank you for Cooperating, have a nice day :)6
Project Manager: You used a hash/salt to encrypt the password in our customer database?
Project Manager: That's mean we will not be able to see the password?
Me: That's the whole point. Why would you want to see what password customer is choosing?
Project Manager: Change it. Use random encryption method.9
I've always wanted to experiment with encryption but never do. This weekend, I'm fucking doing it. Even if I'm just flipping a few bits around, I'm fucking gonna flip those bits like they've never been flipped before and they are gonna FUCKING LIKE IT.4
Senior C++ developer:
"Writing a custom encryption algorithm from scratch for our communications platform? Every developer knows that is an absolute no go, cryptography should be left to cryptography veterans!"
Same guy, year later:
"Blockchains? Hold my espresso, I can totally write a whitepaper on cryptography, write some shitty code with nice branding, and get millions from an ICO"3
> be me
> install linux on encrypted drive
> takes 8 hours to fill the drive with fake data so theres no chance of data leakage
> save encryption password to phone
> phone doesnt actually save password
> realize you dont have access to pc anymore
> reinstall linux7
I fucking love keexpassxc.
It's perfect for keeping all the passwords and credentials to mine and my clients' servers and accounts.
It's not exactly an insider tip, but it's amazing software: simple, secure and useful.
(By the way, keepassxc is not a typo, it's a community version of keepassx, which is a linux port of keepass, in case you know it under these names).59
Tutanota (encrypted email service) has a newly designed interface.
I usually don't give a crap about design.
It's so beautiful 😍
I think I'm in love 😱49
Following a conversation with a fellow devRanter this came to my mind ago, happened a year or two ago I think.
Was searching for an online note taking app which also provided open source end to end encryption.
After searching for a while I found something that looked alright (do not remember the URL/site too badly). They used pretty good open source JS crypto libraries so it seemed very good!
Then I noticed that the site itself did NOT ran SSL (putting the https:// in front of the site name resulted in site not found or something similar).
Went to the Q/A section because that's really weird.
Saw the answer to that question:
"Since the notes are end to end encrypted client side anyways, we don't see the point in adding SSL. It's secure enough this way".
I emailed them right away explaing that any party inbetween their server(s) and the browser could do anything with the request (includingt the cryptographic JS code) so they should start going onto SSL very very fast.
Too badly I never received a reply.
People, if you ever work with client side crypto, ALWAYS use SSL. Also with valid certs!
The NSA for example has this thing known as the 'Quantum Insert' attack which they can deploy worldwide which basically is an attack where they detect requests being made to servers and reply quickly with their own version of that code which is very probably backdoored.
This attack cannot be performed if you use SSL! (of course only if they don't have your private keys but lets assume that for now)
Luckily Fox-IT (formerly Dutch cyber security company) wrote a Snort (Intrustion Detection System) module for detecting this attack.
Anyways, Always use SSL if you do anything at all with crypto/sensitive data! Actually, always use it but at the very LEAST really do it when you process the mentioned above!37
One does not simply encrypt the exam tips and give it to the students in a computer security introductory module.
- devRant TOR rant! -
There is a recent post that just basically says 'fuck TOR' and it catches unfortunate amount of attention in the wrong way and many people seem to aggree with that, so it's about time I rant about a rant!
First of all, TOR never promised encryption. It's just used as an anonymizer tool which will get your request through its nodes and to the original destination it's supposed to arrive at.
Let's assume you're logging in over an unencrypted connection over TOR and your login information was stolen because of a bad exit node. Is your privacy now under threat? Even then, no! Unless of course you had decided to use your personal information for that login data!
And what does that even have to do with the US government having funded this project even if it's 100%? Are we all conspiracy theorists now?
Let's please stop the spread of bs and fear mongering so that we can talk about actual threats and attack vectors on the TOR network. Because we really don't have any other reliable means to stop a widely implemented censorship.16
Had to give a 15 min presentation on web development. I somehow turned it into me giving a 1 hour lecture on ssl and end to end encryption to a bunch of accounting students 😅3
Gotta say, I find it awesome that I can connect with some devRanters through encrypted channels.
It's awesome to talk to devRanters with the same mindset through channels that offer a very high level of security/privacy.
Me: *Has 3 difficult exams to study for and hours of work*
Also me: I should try my hand at encryption in Python.8
10 years ago, I found a vulnerability in the connection between an insurer I was working for, and the network of databases of municipalities. I was only a hacker in so far as kids who watched Hak5 are considered hackers, so I always carried this laptop with a fake access point, package sniffer, wep crack, sslstrip, etc with me.
The vulnerabilities allowed me to register a new identity, for which I requested a passport.
Walking up to the town hall desk with two passports with different names, both mine, was pretty cool.
I did not do anything malicious, and was hired to fix the issues (wep encryption on insurers trusted wifi, and municipality postgres gave write access to all third parties)
For a few days I was the coolest kid in school though!3
Downloaded Kubuntu because i couldn't seen to be able to boot from a freshly created KDE Neon bootable usb.
Installed it onto my netbook (Lenovo Thinkpad X121E) and it worked great!
But just the fact that somehow the installer froze when trying to setup hdd encryption kept bugging me.
Took a random flash drive which was laying around and put it in to see what would happen. KDE Neon booted just like this and everything worked very well with hdd encryption.
I now have a very secure netbook 😊20
Setting up my new second hand thinkpad with Linux Mint KDE.
I just chose for harddisk encryption.
My password is so freaking long and complicated and I didn't write it down so let's start learning this fucker out of my head 😅13
One of my favourite, encryption puzzles is this:
Answer is plain text string in english. Good luck, post solution in the comments!23
Boy, sure wish I knew about this before putting all of my passwords into lastpass. This looks way more secure. Handwriting in English is pretty much as good as encryption.10
It happened 2 nights ago.
We had a whatsapp project for the distributed application programming class, my project mate and me were coding for 2 weeks whole day to finish it, especially with the end-to-end encryption feature that teacher asked, till 2 nights ago the project was trash, the private chat wasn't working and and nothing else is done we had only the UI, we was really doomed especially we had 1 more day to deliver the software, and we decided to deliver the project as a trash and get marks from the UI and the presentation.....
Till the night before deadline at 8 pm
I wanted to try fix some interface pictures and to make it better......
The next thing it was 6 am and the project is full working..
When I told my project mate he was not believing, I had to swear multiple times fot him and hat to go and show him the project by the eye.
We delivered the prohect and got 22/25 😁😁😁
It was incredible I didn't believe my self at first place.
Sory for the long story 😓.3
You've heard of ROT13, now get ready for ROT26. This new and improved algorithm is TWICE as secure as ROT13 due to letters being shifted /twice/ as much.
There's even an API for this encryption service, for all ease of programming integration needs!
http://api.rot26.org/encrypt/... to encrypt}3
Can someone please explain to me WHY THE FUCK non devs feel like they know shit. I DON'T GIVE A FUCK ABOUT HOW YOU FOUND SOME UNTRUE SHIT ON GIZMODO. I'VE KNOW SO MUCH ABOUT THIS SHIT, AND YOU LOOKED UP THE FIRST EXAMPLE YOU COULD FIND THE SUPPORTS YOUR CASE. The most recent time this happened was OVER THE LAST FEW DAYS when this DUMBASS that my friends and I BULLY but HE STILL HANGS AROUND. (By bully, yes sometimes we are mean to him, but we're not out to get him. He comes to us and we don't wanna be with him). So after the SEVENTH groupchat (on two apps) he created that night, HE WANTED TO SWITCH BACK TO ANOTHER APP I SPENT A WEEK TRYING TO GET THEM TO SWITCH FROM PREVIOUSLY (It was whatsapp, i got them to switch to telegram). THEN HE TRIED to ARGUE with me about how TELEGRAM wasnt secure. HE SEARCHED "is telegram secure" on Google and chose the FIRST ARTICE from the previously mentioned, GIZMODO which says that TELEGRAM chats ARENT ENCRYPTED by DEFAULT. HOW THE FUCK DO DUMBASSES GET THIS KIND OF PUBLICITY. There's a difference between ENCRYPTION and END TO END DUMBASS. Then he told me whatsapp is more secure than telegram. NO ITS FUCKING NOT. In telegram, your encryption keys CHANGE every chat, or every 100 messages. To my best research, whatsapp only has ONE key per USER. I could go on forever about how chat backups in whatsapp are UNENCRYPTED or how FACEBOOK stores your data, but blocked you works to.6
I spent 1h30 splitting a script into two scripts because my file crypter was not functioning inside a script.
I decided to make a separate script only for encryption...
It still didnt work.
I added ONE FUCKIN LINE.
I added 'sleep 1' AND IT WORKED.
LIKE. I COULD HAVE WRITTEN 'SLEEP 1' AND GONE TO SLEEP.
BUT NO. I WROTE A SECOND SCRIPT AND SHIT.
SLEEP IS WHAT I NEEDED FOR THE SCRIPT AND SLEEP IS ALSO WHAT I NEED IRL.
$> sleep 360006
I found this in the code of a non-adult video portal...
Why would they need AES encryption for a pornhub grabber?7
PM ordered me to not use encryption for customer authentication links because we want to be able so send same link if the user loose it. "we have to prioritize usability over security". At least I can tell future hackers it's not my fault..11
On the presentation for my database project my team and I showed a NodeJS + Mongo + VueJS project with cloud storage capability, nothing fancy but did everything from scratch (from token auth and system encryption to the frontend CSS and the database) the teacher made some questions and meh'd at it.
Behold team two's project, WordPress with a standard template and phpMyAdmin, teacher loves it because "it's so beautiful"
Guess who just failed that class?
God I love college, it's the best time investment I've ever done and it'll surely pay out.10
Discussed my Internet privacy campaign - Google-free, encryption where possible, didn't even mention VPNs - with 2 people and they've both asked, "why, what are you hiding?"14
"Why are there so many programming languages? Why don't you guys all just program in binary?" A friend of mine some of you may remember, the same one who decided to select system32 when trying out some encryption software from the internet, and who put a shutdown script in the start up programs3
- popunder background bitcoin miners did become a thing
- keybase android beta uploaded your privatekey to google servers "accidentally"
- you can spoof email headers via encoded chars, because most apps literally just render them apparently
- imgur leaked 1.7 million user accounts, protected by sha-256 "The company made sure to note that the compromised account information included only email addresses and passwords" - yeah "only", ofcourse imgur, ofcourse.
I guess the rant I did on Krahk etc. just roughly a month ago, can always be topped by something else.
I’m back for a fucking rant.
My previous post I was happy, I’ve had an interview today and I felt the interviewer acted with integrity and made the role seem worthwhile. Fuck it, here’s the link:
So, since then; the recruiter got in touch: “smashed it son, sending the tech demo your way, if you can get it done this evening that would be amazing”
Obviously I said based on the exact brief I think that’s possible, I’ll take a look and let them know if it isn’t.
Having done loads of these, I know I can usually knock them out and impress in an evening with no trouble.
Here’s where shit gets fucked up; i opened the brief.
I was met with a brief for an MVP using best practice patterns and flexing every muscle with the tech available...
Then I see the requirements, these fucking dicks are after 10 functional requirements averaging an hour a piece.
+TDD so * 1.25,
+DI and dependency inversion principle * 1.1
+CI setup (1h on this platform)
+One ill requirement to use a stored proc in SQL server to return a view (1h)
+UX/UI design consideration using an old tech (1-2h)
+unobtrusive jquery form post validation (2h)
+AES-256 encryption in the db... add 2h for proper testing.
These cunts want me to knock 15-20h of Work into their interview tech demo.
I’ve done a lot of these recently, all of them topped out at 3h max.
The job is middling: average package, old tech, not the most exciting or decent work.
The interviewer alluded to his lead being a bit of a dick; one of those “the code comes first” devs.
Here’s where shit gets realer:
They’ve included mock ups in the tech demo brief’s zip... I looked at them to confirm I wasn’t over estimating the job... I wasn’t.
Then I looked at the other files in the fucking zip.
I found 3 of the images they wanted to use were copyright withheld... there’s no way these guys have the right to distribute these.
Then I look in the font folder, it’s a single ttf, downloaded from fucking DA Font... it was published less than 2mo ago, the license file had been removed: free for Personal, anything else; contact me.
There’s no way these guys have any rights to this font, and I’ve never seen a font redistributed legally without it’s accompanying licence files.
This fucking company is constantly talking about its ethical behaviours.
Given that I know what I’m doing; I know it would have taken less time to find free-for-commercial images and use a google font... this sloppy bullshit is beyond me.
Anyway, I said I’d get back to the recruiter, he wasn’t to know and he’s a good guy. I let him know I’d complete the tech demo over the weekend, he’s looked after me and I don’t want him having trouble with his client...
I’ll substitute the copyright fuckery with images I have a license for because there’s no way I’m pushing copyright stolen material to a public github repo.
I’ll also be substituting the topic and leaving a few js bombs in there to ensure they don’t just steal my shit.
Here’s my hypotheses, anyone with any more would be greatly welcomed...
1: the lead dev is just a stuck up arsehole, with no real care for his work and a relaxed view on stealing other people’s.
2: they are looking for 15-20h free work on an MVP they can modify and take to market
3: they are looking for people to turn down this job so they can support someone’s fucking visa.
In any case, it’s a shit show and I’ll just be seeing this as box checking and interview practice...
Arguments for 1: the head told me about his lead’s problems within 20mn of the interview.
2: he said his biggest problem was getting products out quickly enough.
3: the recruiter told me they’d been “picky”, and they’re making themselves people who can’t be worked for.
I’m going to knock out the demo, keep it private and protect my work well. It’s going to smash their tits off because I’m a fucking great developer... I’ll make sure I get the offer to keep the recruiter looked after.
Then fuck those guys, I’m fucking livid.
After a wonderful interview experience and a nice introduction to the company I’ve been completely put off...
So here’s the update: if you’re interviewing for a shitty middle level dev position, amongst difficult people, on an out of date stack... you need people to want you, don’t fuck them off.
If they want my time to rush out MVPs, they can pay my day rate.
Fuuuuuuuuck... I typed this out whilst listening to the podcast, I’m glad I’m not the only one dealing with shit.
Oh also; I had a lovely discriminatory as fuck application, personality test and disability request email sent to me from a company that seems like it’s still in the 90s. Fuck those guys too, I reported them to the relevant authorities and hope they’re made to look at how morally reprehensible their recruitment process is. The law is you don’t ask if the job can be done by anyone.8
For anyone looking for a quick video conferencing solution, take a look at Jitsi Meet!
Although I'm still unsure about the levels of encryption, it works veeery well!8
here are a few things that my teacher said last class.
"public keys are used because they are computationally hard to crack"
"when you connect to a website, your credit card number is encrypted with the public key"
"digital certificates contain all the keys"
"imagine you have a clock with x numbers on it. now, wrap a rope with the length of y around the clock until you run out of rope. where the rope runs out is x mod y"
"crack the code" is a legitimate vocabulary words
we had to learn modulus in an extremely weird way before she told the class that is was just the remainder, but more importantly, we werent even told why we were learning mod. the only explanation is that "its used in cryptography"
i honestly doubt she knows what aes is.
to sum it up:
she thinks everything we send to a server is encrypted via the public key.
she thinks *every* public key is inherently hard to crack.
she doesnt know https uses symmetric encryption.
i think that she doesnt know that the authenticity of certificates must be checked.7
Should I actually look into getting a dev job..?
*I have a high school diploma (graduated three years early)
*College dropout (3-4 months, Computer Science - Personal Reasons)
*No prior work experience.
*Good textural communication skills, poor verbal communication skills.
*Currentally unemployed. (NEET :P)
*I have extensive personal experience with Java, and Python. Some Lua. Knowledge of data generation, parsing, Linux, Windows, Terminal(cmd & bash), & Encryption(Ciphers).
*Math, but very little algebra/geometry (though, could easily improve these).
*Work best under preasure.
Think anyone would hire me..?16
Update on my quest for encryption!
For the (large number) people that don't know, I want to use encryption for (almost) everything / actually give a shit about internet privacy... And I want it done by 2018.
So.. here is my progress so far:
I have signal
I now have an @tuta.io email.
I have a complex, long password.
I am using blankslate.io instead of Google docs (except for school)
I run important stuff through Tor or a VPN or both
I have a firewall running on Android.
Any more suggestions on what to do or things to change??
Not dev related but still a rant:
My company decided that all the network traffic should go throu a virus scanner. But they don't know what the fuck they are doing, so now EVERY valid SSL cert gets rejected by our browsers because the virus-scanner breaks the SSL encryption.
Anyone open for a pishing attack?8
Today I was continuing my Ruby script for file encryption.
I added some features like Picture Encryption and Bookmarks.
Then I tried to start it to make sure it doesn't fuck up.
No changes reflected.
Browses SO and DDG like a maniac
Guess what happened.
My shell was in the wrong folder and I ran the old testing script.
"Ultron brings to you the best in security and encryption, directly taken from IE 5.5."
After working for this company for only a couple years, I was tasked with designing and implementing the entire system for credit card encryption and storage and token management. I got it done, got it working, spent all day Sunday updating our system and updating the encryption on our existing data, then released it.
It wasn't long into Monday before we started getting calls from our clients not being able to void or credit payments once they had processed. Looking through the logs, I found the problem was tokens were getting crossed between companies, resulting in the wrong companies getting the wrong tokens. I was terrified. Fortunately I had including safe guards tying each token to a specific company, so they were not able to process the wrong cards. We fixed it that night.2
A Bank Account Number is like a public encryption key. Any random person needs it to send me money. Why does it seem like banks treat it as a secret or even use it to confirm my identity? It's literally printed in plain text on every check.2
Continuation of https://devrant.com/rants/642962/...
You are the decryption key to my encryption,
No one can access my heart except you.
You are the loop in my life,
I always keep coming back to you.
You are my nodemon,
You are always watching over me.
You are the / to everything I do,
Am nothing without you and I will always preserve you.
You are my increment operator,
You add value to my life.
To be continued 😉3
Seriously, long live government shit!
So here's the thing - for my stolen bike they offer this website for found ones. Great! Checked for my frame ID and it's not found. Apparently they can offer e-mail notifications once that bike is found.
So on that insecure site I give my email address (my personal mail server which enforces TLS 1.2).. And I intercepted that data in Burp Suite. Turns out that those fuckers not only POST that mail address in plain, they can't even send a FUCKING ENCRYPTED NOTIFICATION MAIL!!
Long live the fucking government...5
Registered an account with a local pizza business and rated them 5* on Yell moments before checking my email and finding they had emailed me my unencrypted password, GREAT NOW I WON'T BE ABLE TO EAT5
Google researchers breaks SHA-1. Next 90 days they will release the code that was used to break this encryption.
Are we fucked?5
When I just started making things in PHP, I always taught that md5 encryption was the best thing out there.. Once I learned that it was the most easy way to break I changed to SHA1. What were I thinking? I now use a custom generated SALT for each user and encrypt with SHA512, should be safe for a while, right?10
Today I started coding an encryption algorithm I'm calling Aepples (apples)!! I'll let all of you know how it goes!8
Linux is shit, OSX and iOS are trash, windows is the only OS that actually works, open source is always inferior to closed source, if you use VPN or encryption youre a criminal, java is slow, vim worse than nano, ..
Now that I've got your attention and you probably raged and downvoted.
Downvotes don't actually work on devrant. (not a bug)
This has been going on for months already - why have that function to begin with, if its just not fucking working? The usual answer to people throwing a fit is "just downvote it", WHY? it doesnt fucking work.
For a while specific options while downvoting DID actually work, but now any of the downvote options are just straight trashed and ignored, they are saved, dont get me wrong (or else it would be too obvious), but they dont affect any of the scores at all.
I understand mass bot downvoting should be prevented, but why take away anyones voice by completely ignoring downvotes. I really dont get it, its not "punishing" the creator of said post or comment, its simply reflecting what the users actually think of said comment or post, it boils my blood how thats even a thing, I am honestly disappointed.
Why should also downvoting something hide it from the feed (especially on the "recent" filter), let me fucking decide what I want on my feed via option then atleast. What if I don't agree with a rant, downvote it, but then want to see what others thought of it? how am I supposed to find it again?24
Many people / engineers around me talk about trendy stuff like Cybersecurity or AI and show off what great encryption and neuronal networks they 'have built' ( I would rather say 'using').
I kinda get the feeling of 'Everbody talks about it - no one really knows what's goin' on inside (especially those guys who hate math and even algorithms).'
Am I just stupid or does somebody else here feel the same way? I mean people have been doing serious research about this stuff for years. And currently many kids are coming up with it as if it is easy stuff like the bubble sort.7
I have a mate who downloaded encryption software that he somehow managed to use to encrypt almost every system file in windows, now the entire thing is fucked, like how can anyone be that stupid? Like before he even did that he tried encrypting the .exe of the encryption software and guess how that went6
Ever encrypt files on a USB drive before?
Ever do that then forget the password you used for the encryption?
Computer engineering : Insanity!!!
Today a friend of mine was assigned to make a Client-Server Encryption using Sockets. The guy did a great job applying BlowFish algorithm, but the teacher was disappointed because she couldnt map letters to the encrypted text and she declared the program to be wrong!!!2
In my ongoing quest to un-Google my life, I turned off the Whatsapp chat back up, which uses Google Drive. There's a message in that setting which says, "Media and messages you back up are not protected by Whatsapp end-to-end encryption while in Google drive".
All my Whatsapp chats for years have been on Google servers in plaintext.
I assumed it uploaded one massive encrypted archive.13
Tinfoil hat time!
So, for this scenario we assume a world war has is in full swing, and all communications are either completely out or extremely monitored.
Additionally, no servers can be trusted and no ISPs can be trusted. Even when downloading software you cannot know if the software you got is tampered or not.
You have to send a message to a recipient you cannot physically contact, and you have to make sure him and only him get the message, otherwise nukes are deployed and we all die. The message has to arrive within 3 months or else it's too late.
Is it possible? If yes, how?18
When you spend 6 hours figuring out how to best encrypt/decrypt your unimportant website cookies just because you don't want people to see how bad you are at naming stuff :x
A website I made years ago, just needed to change the url to be logged in as admin and no encryption2
Had a couple occasions to feel like a badass, recently.
I'm the only programming polyglot on the team. They've been wrestling with an encryption problem. I crack open C, make a few calls to wincrypt (yes, I'm sorry, we're a Windows company) and give them a dll they can call in their IDE. They were stunned by how fast it was.
Last week, my manager asked if I could put together a communications module for our flagship software.
Him: will 3 months be enough time?
On Monday, I had an alpha of the module ready, and a standalone simulator of the module, and a couple different examples of how to communicate with it written out in python.3
I don't understand this android disk encryption. I encrypted it (and I confirmed that it's fully encrypted via app) BUT when I connect it to my pc I can see the files just fine. When I tried moving a file it said that my phone was "busy" though, but I can still open pictures and folders etc... So I don't really get the point. Let's say if someone stole my phone and plugged my phone in, they would still be able to look through everything. The only way to prevent this is to shutdown the phone, but it's not like I want to turn my phone off every time I go outside.20
Don't you just hate ignorance of others? I sure do. Don't you just hate when you try to tell someone something, but the person on the receiving end is like "Well, it's not my job, so I cannot relate, so I am not going to listen to you at all."
Now, let's talk about a little thing called PRIVACY. Whenever people ask me "Why do you not use Google Chrome, but you use firefox instead?" I always answer "Because it does not compromise your online privacy as much." But, those idiots never listen. The same goes with me being in favor of Unix-like systems such as MacOS and Linux. But they for some idiotic reason do not care for online privacy. They go for the "convenience". I know Google uses the data it collects to "help" you find better results. But the problem is is that you do not get a say in the choice that the algorithm chooses. Also, I know Google might say "Oh, we never look at your files and your information," and it is indeed true that most of the time when you try to research about the cons of Google using Google, only the pros of Google will pop up. Now, if I go onto DuckDuckGo or Bing or even Yahoo!, the results are going to be quite different. I have been using Gmail since about 2011. I have not switched because mainly of Youtube and because I have been using it for so long. True I have two other accounts, which are AOL and Hotmail, but I barely use them, and when I will be 100% concerned about my privacy, I am probably going to switch to AOL.
You might think that it is hypocritical of me to use Gmail, but have you ever tried switching from an email address that you have been using for years? It is hard. So I do the next good thing, and encrypt my emails whenever possible (GOD BLESS PGP). I know Google says that it itself encrypts the Emails itself, but, how can I trust such an advertisement monopoly? I mean, the encryption means nothing if they have the secret key, if needed, they'll just decrypt my email and read the fucking thing. That's why I have my own set of Public and Private keys, and I recommend you too encrypt your Emails, especially any sensitive data that you ever send. I am also buying a web camera cover, because I really do not trust the folks at the NSA and the CIA and all other 3 letter government agencies. But people always tell me "But how can I be significant to the government, I have nothing to hide," which is a fucking lie, EVERYONE HAS GOT SOMETHING TO HIDE.There cannot be freedom of speech if the government constantly sees what you're saying. I wish there were more people in the world like Snowden :/6
/* made a encryption app */
Developers and Designers and folks try it.. It's called Crypten
Ok guys I need advice, haven't posted in a long time.
A profesor is asking my team to build a java application that runs on a server with a very specific tech-stack (database, container, encryption, use-case and UI design) it's basically a fully fledged app that I know would cost somebody hundreds if not thousands to buy. The thing is I'm getting the feeling he's using us to write this code and then later distribute it while all we get is 20/100 points we need to pass the course. I heard rumors...
So what I wanna do is throw it on github (he's obviously expecting me to open source it at which point he forks it and bam!) and slap the most restrictive license on it. Now I don't have much experience with licensing or this sort of thing... any advice? I want to be able to go at his throat if I ever find out he used my code which I'm supposed to spend 3 weeks writing for free for a fucking "uni" project that's worth a fifth of my grade in that one semester course!29
Hmm...recently I've seen an increase in the idea of raising security awareness at a user level...but really now , it gets me thinking , why not raise security awareness at a coding level ? Just having one guy do encryption and encoding most certainly isn't enough for an app to be considered secure . In this day an age where most apps are web based and even open source some of them , I think that first of all it should be our duty to protect the customer/consumer rather than make him protect himself . Most of everyone knows how to get user input from the UI but how many out here actually think that the normal dummy user might actually type unintentional malicious code which would break the app or give him access to something he shouldn't be allowed into ? I've seen very few developers/software architects/engineers actually take the blame for insecure code . I've seen people build apps starting on an unacceptable idea security wise and then in the end thinking of patching in filters , encryptions , encodings , tokens and days before release realise that their app is half broken because they didn't start the whole project in a more secure way for the user .
Just my two cents...we as devs should be more aware of coding in a way that makes apps more secure from and for the user rather than saying that we had some epic mythical hackers pull all the user tables that also contained unhashed unencrypted passwords by using magix . It certainly isn't magic , it's just our bad coding that lets outside code interact with our own code .
CS Teacher today:
"Transport Layer provides Security and Encryption to the communication" (TCP/IP stack)
me: WTF? Encryption is provided on the *top* of the transport layer (aka Application) ( and below [Network Layer] there is IPsec)
Teacher: no, it's wrong.
me: so Wikipedia it's wrong, RFC 5246 is wrong, and you have right?
me: Ok. (aka fuck you!)4
Me: "I'll use my old laptop as a server to access via SSH to do my Docker Tests. I don't wanna use Keyboard and Screen. So, I'll set up Debian Server"
Also me: "Oh, full disk encryption with a preboot Login required. That's such a GOOD idea"
Introducing: Stupid me 🤗
Hmmmm its almost new year im having finally holiday from school and all that stuff but still working on ROMs but well another story and i dont have a thing to rant about which i think is kinda good but sad at the same time.
So all i wanted to say to you guys that 2017 was an amazing year full of learning new stuff and trying, meeting some cool people.
I have done a lot of work this year.
Created a sort algo which well was already created but i didnt know that sadly.
Working on encryption algo (Still)
And lot more but thats not what the rant is about.
It was as i said above an amazing year and im sure we had a loooooooot of fun at devRant.
Some big changes happened this year at devRant mostly the web UI and livestream which was totally amazing.
Also a lot of thing happened here looooot of awesome things and i finally updated my fucking firefox extension for 57 standard (Yeah i was late on that one).
I surely would have said more but nothing comes up in my mind now only some quantum mechanics stuff but well thats not what the rant is about neither.
So Happy New Year to all of you guys and let the 2018 be more awesome then 2017;5
What's wrong with the idea of having a huge computational network like in Watch Dogs to bruteforce encryption ?
I mean suppose having 500 or more million cores , how long does it actually take to bruteforce a 256 bit key ?22
An identity platform where you can find each other, get the other's public key and preferred contact method. And the entire key exchange and choice of contact method are negotiated automatically. No vendor lock in, encryption happens on your own device. Effortlessly and securely communicating, no searching for skype name, email, phone number, setting up shit. It would just work.7
When you do a login encryption using AES, rot13, Base64, rot13...
AES Password is also encrypted using rot13, Base64, rot13.
AND SOMEHOW IT DOESNT WORK FOR EVERYONE.
Remember kids when setting up data security, don't be an Equifax.
Since they can't honestly answer yes to the data at rest question, it probably means the resting data was not encrypted.
How did these guys get put in charge? This is a basic data security standard.
Fucking christ this year is a fucking shitfest:
- wpa2 krack
- "DUHK Attack Lets Hackers Recover Encryption Key Used in VPNs & Web Sessions"
- "Hacker Hijacks CoinHive's DNS to Mine Cryptocurrency Using Thousands of Websites"
- "Bad Rabbit: New Ransomware Attack Rapidly Spreading Across Europe"
My fucking router didn't yet get patched, my fucking phone is outdated and I can't change to my patched one because devrant just shits the bed in extended desktop mode. Windows 8.1 loses support in 3 months, rendering my last chance of using it on my surface pro done, making me use windows 10 with its fucking shit ass not optimized tablet interface. I have just fucking constant paranoia what else could be hacked tomorrow, nothing is fucking safe anymore for fucks sake. I even went as far as implement 3 step auth and intrusion detection on my shitty ass VPS nodes, fucking give me a break you fucking assholes.6
2nd year programming professionally I designed, coded, and released a PCI compliant credit card encryption system, including updating all 7 million records (at the time) in our existing database to utilize the new system. By some miracle, it worked with only one small hiccup (see previous rant).
Who would be interested in reviewing an old peice of Python code I wrote..? It's a few years old, and it uses basic procedual generation to cypher text (entry, or ASCII files) using a hashed password. It's a command line tool.
I used to brag about how "secure" it was, and now I'm curious if it is secure or not.
I plan on picking it back up and open-sourcing it, but I want to know what problems might be wrong with it now.10
University assignment asks to create some encryption harder to break than Caesar Cypher. So I decided to go online and look for some tips on making a somewhat decent algorithm.
Universal answer: don't do it
Well then, night off I guess 😎2
I just saw this on a website. Good to know that they use some kind of jQuery draggable plugin for encryption.2
Trainee accidentally said md5 is an encryption... Gave him the "functional specification of OpenPGP on ISO Smartcards". He learns OpenPGP now, before he reads that I hope.
The coolest project I ever worked on wasn't programming per second, though it involved a bit of scripting. The company I worked for had an FTP over TLS backup solution and it was put together with glue and paperclips by a guy that hadn't the slightest idea what he was doing. In order to conform with the insurance, data had to be encrypted. I setup a raid-ed server with full disk encryption on the raid volume that fetched the key over the network at boot from another secure server. I wrote a series of scripts for provisioning users and so on. The backup connections was sftp using a ssh tunnel, the users were chrooted to their own home directories, and were unable to open shells. The system was 100x more robust and secure than the original. I set it up on short notice and received absolutely no recognition for saving the company's ass, but it was definitely a fun project.1
They tell me to only review security in the security reviews I'm doing (and if I bring to attention that they're implementing a weak encryption so even though they're not using it at the moment it might cause issues so be careful with that they say to only review security 😵) and then I see this mssql in a where:
AND ISNULL(field, 0) IS NULL
And I think wtf, should I report that? I did and it's a bug and they're thanking me now....
God dammit it's hard to "review security" here...3
Anybody that uses GPG for email encryption might want to read this:
This sheds a bit more light on what's actually going on.
It's not really GPG that's affected but the E-mail client plugins.6
So, my network security faculty thinks s/mime is secure multipurpose internet message encryption. And ssh is secure socket header.
Time to leave the class. 😭1
Couple words on the school that I attended and will probably never get back to.
So their learning platform Moodle had this issue (like many school sites do) of not having SSL encryption. At the beginning I just encouraged them to add it to the site, for a couple months. But recently I got so tired of their inaction, that I made a little video of what the results of a successful MiTM attack would look like with ARP poisoning. Sent them the video with the results and most examples of all the other evil shit one could do with it.. Of course with a disclaimer saying that the tests were conducted on devices that I legally own.
Now you'd expect any sane sysadmin - after they actually encouraged me to make that PoC - to thank me for submitting the report and get on it ASAP.. right? Not in this case.
What they did (probably out of sheer shame and inexperience in the security field) is they blocked my VPN server from accessing their online learning platform. Literally the only line of defense that I had in my arsenal to at least protect myself from their fuck-up. And of course mocked me for not being able to use the VPN anymore. KNOW YOUR PLACE FUCKERS!! You are the one who made the mistake, not me! If your fucking pride is more important than your students' security while they're taking your "cybar sekuriti" course, I would be crazy to further waste my time on it.
Especially considering that the teacher of that course can't distinguish between stenography and steganography!! Oh and don't even get me started on the claim that SHA1 (a hash function) is cryptography!
Or the other sysadmin who claims to have worked at a Belgian IXP, who does his logging with a fucking GUI for tcpdump, and show us a root login to one of the local servers "for impression purpose"?! Give me a break, fucking n00bstickles. I will continue straight into the CCNA, without further being led astray with your fucking shit "preparation course"!13
Coolest bug is less of a bug and more of a feature. I've been working on a medical app and I used an open source backend which had almost everything I needed. To be hipaa compliant you have to encrypt all sensitive data - full db encryption was not something this backend was capable of.
So my solution was to encrypt the data on the client side and create a secondary server - that can only be accessed on my app server - to store and retrieve the keys.
If anyone's thinking of working on a HIPAA project - you're welcome
While attempting to quit smoking and after spending a full day trying to understand why the previous devs took this approach to encrypting a string and my lack of nicotine addled brain not allowing me to see that this was a “Secure”String and so uses a machine specific key (that’s why the code that worked locally wouldn’t run on production 😑) this is my rant on comments added to the helper I had to write
/// If you are using this class and it's not for backward compatibility - then you probably shouldn't be using it
/// Nothing good comes from "Secure" strings
/// Further to this Secure strings are only "useful" for single user crypto as the encryption uses the login creds, transferring
/// this data to another client will result in them never being able to decrypt it
/// Windows uses the user's login password to generate a master key.
/// This master key is protected using the user's password and then stored along with the user's profile.
/// This master key then gets used to derive a number of other keys and it's these other keys that are used to protect the data.
/// This is also a broken crypto method via injection (see Hawkeye http://hawkeye.codeplex.com/) plus the string is stored in plain
/// text in memory, along with numerous other reasons not to use it.
public class SecureStringHelper
Me: Ok, we'll implement that message tech. But since the clients are servers in that architecture and can't speak IPv6 we've to use a dedicated VPN so the endpoint is able to connect to the servers (clients). Since we have limited network resources we should use VPN cert-encryption and send the actual data plain to save at least some overhead.
Boss: Ok! Let's do it!
Boss: Hey! I talked to a guy from that message tech. Their encryption is certified. We should use that instead and get rid of the VPN to save the overhead!
Me: *unable to say a word*
What in "VPN in that architecture is mandatory" is unclear?
Well, I assume we'll kill the architecture then... Fun Time!
I want to cry... Fuck it.. shiit. .. :( :( ;(
Wasted half of the Weekend to Setup MySQL on my vServer which uses ssl encryption, have specific User and so on.
Thought: well, the User mysql is not so good as a Name. Drop it, you don't need it.
What did I? Instead of Drop User mysql , I typed Drop Database mysql.
Fuck that fucking Shit. I'm so sad right now. Broked the complete MySQL Database. Nothing is working anymore. And the server is new, I've Just made One Backup. Deleted this a few hours ago.. also accidently.
Help me :( Shit :( so sad :( Now, I don't have Motivation anymore to work with the vServer :(3
Guys which fucken anti-virus do you recommend for free, which doesn't throw around with ads like crazy?😵
I know this might kinda start a war and some of you want me to use linux.
Sadly, win10 is a must.😛
Girlfriend managed to catch some encryption fuck-up..
I made her use sophos home before, but it seems like sophos isn't self-acting enough..
I hope you have some ideas..27
Tomorrow I'll write an exam in programming. I code since I was 11 years old and as soon as I got to that stupid programming class in school I felt bored. My teacher is an former encryption expert and thinks I'm too good for that stupid school. Well at least I am ready for the exam... That shit is so boring in class 😂2
If you're having a bad day, think about the fact that BuzzFeed reporters have PGP keys for confidential tips4
If I made an app where you keep password hints so you can remember the password yourself, is it fair to say the encryption is your memory?1
Not a rant, just the completion of a very demanding and interesting task for this week.
Wrote a whole data scheme for this enterprise app my company is developing. Very proud of it, since it has a very restricted size, multiple layers of encryption and data verification, several user types with different requirements, and it all has to be rock solid in an offline environment.
The punchile is...I enjoyed writing the documentation for the whole package more than I should, I guess...spent the whole day being very thorough and documenting every member, function, constructor and exception.
A hidden page that you enter a user name and it displays the encrypted and unencrypted versions of their password... It was quickly deleted after I stumbled across it. I assume it was to test a homemade encryption algorithm that wasn't worth much anyway, passwords shouldn't be reversible
I am not the dev of this app, it's just really cool
Some of you may want total security, like full disk encryption. But, you don't want to have to type a long password at startup. So you may have resorted to a really weak 5 char password. Well my friends, a generous developer has come to your rescue.
Meet Authorizer https://f-droid.org/app/... of the best password managers in existence. It can fake a keyboard so you can use the longest password your heart desires at any time. Happy encrypting!3
So I went for a "special" interview to a company whose slogan is "experience certainty" (fresher, was hoping to get a role in cyber security/Linux sysadmin). Got shown what the "real" hiring process of an indian consultancy company is...
We were called because we cleared a rank of the coding competition which the company holds on a yearly basis, so its understood that we know how to code.
3 rounds; technical, managerial and HR...
Technical is where I knew that I was signing up for complete bullshit. The interviewer asks me to write and algo to generate a "number pyramid". Finished it in 7 minutes, 6-ish lines of (pseudo) code (which resembled python). As I explained the logic to the guy, he kept giving me this bewildered look, so I asked him what happened. He asks me about the simplest part of the logic, and proceeds to ask even dumber questions...
Ultimately I managed to get through his thick skull and answer some other nontechnical questions. He then asks if I have anything to ask him...
I ask him about what he does.
Him - " I am currently working on a project wherein the client is a big American bank as the technical lead "
Me (interest is cybersec) - "oh, then you must be knowing about the data protection and other security mechanisms (encryption, SSL, etc.)"
Him (bewildered look on face) - "no, I mostly handle the connectivity between the portal and data and the interface."
Me (disappointed) - "so, mostly DB, stuff?"
Him (smug and proud) - "yeup"
Gave him a link to my Github repo. Left the cabin. Proceeded to managerial interview (the stereotypical PM asshats)
Never did I think I'd be happy to not get a job offer...1
My worst coding mistake
In my last project for the distributed application programming, I was working on encryption for messaging between two users, the mistake was after decrypting the message you should trim it, and I was trimming before which made the message corrupt, this mistake costed me 2 weeks of delay since I couldn't find the problem, the code was like this
Where it was supposed to be
>Le me signing up for steemit, because reasons.
>Me confused about why I can't sign in.
>"Signup requests can take up to 7 days to be processed, but usually complete in a day or two."
In university, I got really into cryptography. I wrote software that was testing the entropy of lots and lots of HTTPS encrypted packets, for sites that also supported HTTP. Meant that I had a pretty good idea what the plaintext was, and the quality of the encryption algorithms used. In the end, I got into lots of trouble with my university because apparently what I was doing could be deemed 'dangerous'! Never felt more like a hacker in my life.
I sincerely hope the tragedy in Manchester won't be used as a pretext by our technically inept politicians to push through crackdowns on encryption and further surveillance.3
Recently we started to encrypt all our PHP code.
To hide the code that we use to unauthorized people.
A new intern deleted ALL the encrypted and uncrypted files from all the servers (Also our backup server) saying
"I thought it was a Cryptolocker".
Now I can fucking start to find it all back and maybe even recreate our system and fucking crypt everything again.6
So when it comes to password encryption in php, I've learned to use password_hash($password, PASSWORD_BCRYPT); // Blowfish
Anybody else use this? What do you php lovers like to use?4
# NEED SUGGESTIONS
I am working on a secure end to end encrypted note taking web application. I am the sole developer and working on weekends and will make it open source.
The contents you save will be end to end encrypted, and server won't save the key, so even I can't read or NSA or CIA.
So I wanted to know if the idea is good? There are lot of traditional note sharing apps like Google Keep and Evernote. But they store your stuff in plaintext. So as a user will u switch to this secure solution?15
Latest promoted thread on XDA to make the list:
"how to disable forced encryption".
This is from a place that tries to be innovative. I'm half expecting a thread get promoted with the title "how to give everyone your passwords/identity/credit cards".
Oh dear Amber Rudd has encyrption in her sights again. And still doesn't seem to understand what it is.
I am trying to "invent" secure client-side authentication where all data are stored in browser encrypted and only accessible with the correct password. My question is, what is your opinion about my idea. If you think it is not secure or there is possible backdoor, let me know.
- test string (hidden, random, random length)
- password again
- hash test string with sha-512
- encrypt test string with password
- save hash of test string
- decrypt test string
- hash decrypted string with sha-512
- compare hashes
- create password hash sha-512 (and delete password from memory, so you cannot get it somehow - possible hole here because hash is reversible with brute force)
// DATA PROCESSING
- encrypt/decrypt with password hash as secret (AES-256)
EDIT: Maybe some salt for test string would be nice9
I'd like to locally encrypt files before syncing it with the cloud; what's the "best" software available for this?
I'm currently switching to STACK as my cloud service (it's a file hosting service for Dutch people that offers 1TB of free storage).
But I don't feel fully comfortable with them having access to all my personal data.
So I came to the conclusion that it would be best to locally encrypt files before syncing it with STACK. I DuckDuckGo'd but there seems to be a lot of software available for this so I'm not sure which one to use.
Which one could you recommend me? I'd prefer a free software but I'm okay with paying as long as it isn't too expensive.9
I'm going through a KhanAcademy course learning about cryptography. I learn better by doing, so I wrote a script. It shifts bytes up depending on a random int produced by a high entropy pseudo random number generator using a sha256 hash as the seed. I'm trying to find information on the flaws with this method, that lead us to create DES, and then AES.
I'm curious, how many of you ranters out there studied Math at an advanced level to become proficient at programming? Is there a particular field of Mathematics that would improve my programming skill?
Context: I come across a lot of Math I don't understand/never encountered when researching topics such as encryption, hashing, geospatial data handling and randomness. Was wondering if I missed out on some key learning that would make these topics a lot less mysterious. Also, I overheard someone coming up with a mathematical formula to base an algorithm on. I don't think I've ever come up with algos this way.6
I started an e2e encrypted Dropbox clone, meaning file names and contents get encrypted client side prior to uploading. It also has a fairly advanced system for sharing links to files etc. But I got stuck at PDF previews which can't be generated on the server cause the file can't be decrypted there and I never finished it.2
Writing a PHP (yes I know) login system for some personal projects. I'm looking at secure storage of credentials, specifically encryption algorithms. Obviously, I want to use something secure, but hopefully at least somewhat future-proof. I've been told that Blowfish could be a great option, but do you wonderful people have any other suggestions?3
I've been considering mailbox.org for my email and cloud office requirements, but so few reviews exist online so I hope some of you have experience you can share.
I currently use Gmail and Google Docs, Sheets, Drive, and Slides. Ideally I need to replace all of these. Here are my requirements:
- A service I pay for with money instead of personal data
- Personal email service
- An online office suite for documents, spreadsheets, file storage
- able to send encrypted email (almost no one I know can use encryption)
- open source software stack
- Android apps
- Cloud presentation software (Slides replacement)
I don't have the time or resources to set up my own email server or cloud.
I'd like to hear from anyone with mailbox.org experience, or other services that meet the above requirements.12
At the time, I'm working on a simple RAT, for leaning purpose, written I'm Go.
Now simple command-execution work's and I want to implement an encrypted connection between the client and the C&C-Server.
I know Go has some kind of TLS in its standard library, but is it really usable, or would it be easier to just implement my own simple encryption-module with some RSA and AES?
That short moment of fear when Windows restarts during boot without appearant reason and you think the last Windows update messed with the hard drive encryption1
When someone tells you there app is 100% secure just because they use E2E encryption but using the Authorization header is too complex..2
When you keep telling your boss that you remade one of their sites so that it has BCrypt(currently use SHA-512),CSRF checks, stricter Auth/Cookie encryption and that we should swap it and all he says we will get to it.
wot n tarnation-_-2
FUCK YOU hash_hmac and your stupid fucking $raw_output = false default...UGHHHHHHHHHHHHHHHH
A while back I had to do an assignement in university. It was the second one for that module, the first one beeing a simple encryption program with gui. We were supposed to write a simplistic client-server chatprogram. I was sick on the say we got it assigned so I asked a friend if he knew someone who doesn't habe a partner yet. So I came to know the worst project partner I ever had. We had 2 months. The plan was to slack of then first month by doing only research. New yes I got really sick and was on 3 meds.
He said he will work with the tutors and Meet someone to help him with his part(the client who was more gui focussed). I explained him how to use git and went went to get healthy again. When I came back I asked the professor for 1 more week. I came back noticing that git wasnt set up, he never met with anyone and had nothing. He didnt even set up git. I ended up taking over parts of his work.
At the day of the presentation the only code he had were a few single random lines he copied from the first assignement. I had to explain the 4 git commands we needed 5 more times. He didn't even understand what we were supposed to do.
HE COPIED SINGLE LINES FROM THE FIRST ASSIGNEMENT!!!
No idea of the concept, of gui, threading or anything. He couldn't even write a "hello world"......
To this day I have no idea how he even managed to pass the prior programming exams.
I mean....he only copied single lines from a completely unrelated program....there was the beginning of an for-loop randomly in the middle, just a fucking half written loop, not even the second } was anywhere.
TL;DR Does Telegram really secure?
Some people say Telegram is the most secure and safe messenger, some say it's not. If you're familiar with it you may know from news that Telegram did not gave its clients' info to government, you may have heard that Telegram's encryption is not the best one, BUT my question is does it store peoples' private chats' keys? Actually it does with normal chats because if you reinstall Telegram you can easily get normal chats' messages. Also my friend said that any application in mobile stores like App Store sign a agreement with stores owner company that if some points met, the application owner have to share info of its clients. So dear friend what do you think, should I continue using Telegram)?
P.S. sorry for my not the best English9
[...] All session data is encrypted using (salted) AES-256, the same encryption algorithm used by the U.S. Government to protect TOP SECRET data. [...]
FUCK!! But perfect for Netflix!! ;)4
A python solution for Digital Ocean backups using Dropbox, including encryption and logging.
Any feedback, suggestions, or pull requests would be welcome! :)6
I had to choose a subject for a math project. So I selected encryption (elliptic curve). I decided to make an interactive demo website. First time working with node, websockets, large numbers and latex. Most fun project I ever did. I am still proud on the result and how fast I did it (~3 weeks)
What are the thoughts of privacy conscious people about quantum computers? As far as I understand current TLS version encryption method is vulnerable to quantum computers, thus if your ISP or other agencies store all your traffic data right now, they'll be able to decrypt it after gaining access to quantum computers.
One way to secure your privacy would be to use your own VPN that uses encryption method that is quantum-resistant, but again the VPN would be using TLS to connect to the Internet.7
When you wake up on a sat, log in to your emails to share with your bosses a new hacking framework just out that can decode encrypted strings, and no one replies because it's the weekend
So, in my second semester of CS I had a class about OS and the way they work. The professor made us do presentations every two weeks (we were basically giving the class...).
For full points we had to have the presentation, an example (video or pictures), and an activity.
My team was one of the last presentations of the first round (iirc there were 5 rounds). I was in charge of the activity, so I decided to create a program to make it fun (and leaned a new language in the way). Thanks to this the professor gave us extra credit because we were the first team that ever did that.
My classmates decided that it was a good idea to follow my idea and a couple of teams started to code their activities too. At the end of the semester almost every team had a program as their activity...
But the professor didn't gave them extra credit because it wasn't a novelty anymore. :D
In another round, my team got as a topic encryption. By the time I was already a Linux user and I knew a thing or two about encryption, so I decided to do the example in real time showing how to encrypt and decrypt using command line. Once again we received extra credit because of it. :D
At the end of the semester the professor offered me a job as a developer, but I couldn't take it since I moved out of the country the next month :(
I've tried various ciphers to get the best performance possible in scp. Arcfour seems to perform the best (yes I know it's broken but that's not important now). It even performed better than a copy with no encryption at all, which seems strange.. Any idea why that is?
I was copying from a 300MB/s RAID-0 array to a tmpfs (basically just RAM) over a 1Gbps local network connection, so no bottlenecks there.13
Had a Nas with a single 3tb seagate HDD in it.
It ran well for half a year and it was my main backup and a time machine for my dad.
The time came that my budget was allowing a second drive for redundancy so I powered it off, added the second drive and powered it back on.
The drive did indeed die and yes, it was one of those drives with an extremely high failure rate.
My dad was pretty mad that his backups were gone even though he didn't need them.
So my biggest lesson from this was to always encrypt such drives because dads backup wasn't and my files and such weren't either, so someone could restore our hole life's from the drive.
So I can't Rma that fucker.
Zfs at rest encryption ftw!
By the way, writing this I noticed that I didn't need to power the Nas down to add the second drive....
Another more recent thing was a refurb 4tb we red that I bought used for a bargain.
It reported 2 unwritable sectors but I didn't care for the money.
After about a month, it died.
The interesting part is how it died.
It spinns up, gets detected, you can access the data.
You can copy the data.
But after a few moments of continues load, all operations start timing out and the drive either disconnects completely or the zpool degrades and shuts down.
In the first case, replugging brings the drive back untill it does it again.
On zpool degradation only a reboot brings it back.
Put a fan on it in case it was overheating but that didn't fix it.5
No archival of data on a database server with over 5000 high profile customers using no encryption whatsoever with telnet open on LAN, every user on the same account in the office using the companies name as the password... But hey there are security cameras!
Nothing like changing state contract ws-security polices to make your eyes bleed and your brain melt with symmetric encryption binding in WCF services
Korora 26 finally came out and I wanted to install it on my new laptop. I'd previously put Ubuntu MATE on there, with Cinnamon kind of tacked on, but it wasn't great, mostly because it wasn't Korora.
Unfortunately, Korora (and Fedora) still have a bug in the installer where it will complain if your /boot/efi partition is not on /dev/sda, which in my case it was on my M.2 drive. However, I was able to eventually get it working.
But when I booted it up and tried to log in, it would take me back to the log in screen. I logged into a TTY, where I was reminded that when I had set up my Ubuntu install, I had chosen to encrypt the home folder.
Not knowing how to set up the eCryptFS with an existing encrypted home folder setup, I opted to wipe the drive and reinstall from scratch--I had a backup of most of my files from the Ubuntu installation. However, I lost some very important documents that I'd set up since then.
Fast forward to today where my laptop won't boot unless it is either a.) unplugged with just the battery or b.) plugged in without the battery, with a different power cable from the one I got with the computer.
Thankfully the people responded quickly after I mentioned I was having issues. Hopefully it doesn't get worse...
Wanakiwi can be used to possibly decrypt wanna cry encrypted files and computers. https://github.com/gentilkiwi/...
Is it better to implement a cryptpgraphic algo in a function or in a class? Also how?
I have a cryptography class and I really enjoy implementing the different techniques that we study in class. At first I was just implementing the techniques in a simple function with 3 parameters; key, message and a bool for encryption or decryption. But as they are getting more complex, it is becoming harder to continue implementing them in a single function block. So I thought of using a class but ran into the problem of how do I even do that? Do I make different methods for key generation, encrypting and decrypting?
P.S. It's really just for learning how the crypto technique works and not for anything serious.12
Okay I'm probably going to get flak for this but...
WhatsApp chats are apparently e2e secure. Except when you back them up, right? Why not, when you create a backup (iCloud, google drive, whatever), have the app generate a password protected key pair and use that to encrypt/decrypt the backup?
When restoring the backup, use the password you set for the key et voila! While at rest, that backup is still encrypted.
Or have I missed something completely?2
I don't know if many rememeber me but at one point this year I had to turn UDP basically into tcp, handshake, packet ordering, resend on failed, ACK response, and 4k bit aes encryption. Fucking done, it works, signed the last version and pushed to client, client loved it, just what he wanted, paid out contract then turned around and asked me to setup his server for one day with no further expectations and an extra 250, said sure don't mind, as I am setting shit up I decided to test if his business isp really blocks tcp, guess what? NOPE IT WORKS JUSY FUXKIJG FINE AND I COILD HAVE KUST RIPPED A PREMADE CORE AND GOT PAID AND SET IT UP AND HE WOULD NEVER know, but maybe theirs some weird circumstances that require the core to be made only with udp, so after I was done I asked why only udp if his line allowed tcp? Requirements maybe? NOPE HE JUST DOSENT UNDERSTAND TCP FUUUUUUUQQQQHDJDIOAJEJDICJDNXIKZMZJDJCU4
I've implemented Chat function for my app. Since I'm a security noob what is the preferred way of encrypting the messages End-to-end maybe?
I'm definitely not leaving them as plain text :)5
These past few days were the first days in ages that I actually had time to work on a project. It is also the first time in ages that I pulled all nighters to code. Being reminded of the feeling of putting on some headphones and hacking away on this project was the best feeling I've ever had in so damn long. God I love programming.
If you wanted to know what the project is:
We got an end of year project in comp sci at school and we got a lot of freedom for what we were required to do so I got the idea of creating bank management software cause it seemed pretty simple. But then I started the project and realized how much more I could do with this. So I've been working on an entire bank management program including account creation, database creation, file encryption, payment options, and credit/debit card attaching. It is currently text based but I'd like to create a gui in the time we have left to finish. I'd also like to incorporate more features that come to mind.
As V1.0 I found Allo quite fine. Google assistant is so cool answering a lot of questions that you would rather switch to chrome and browse Google search results etc.. About encryption issues, I'm not a CIA agent and I have no problem if they use my data to improve the app utility. That's what AI and machine learning are all about. And please, don't tell me that Facebook or other services don't store your conversations. What is missing is SMS/MMS support and a Desktop client, that's it.1
Hi. I stumbled upon this Kickstarter project: https://kickstarter.com/projects/...
Is it worth it or is it just a waste of money?
I am a quite of a lurker, but from the posts I read @linuxxx should be the expert on this subject (I mean no offense to any other devRanter and I apologize if you felt unappreciated by what what I wrote).
Looking forward to your replies.
Thanks for your time.10
What do you guys think of surespot?
It's an open source messaging client that promises e2e encryption.8
Guys, I need some advice. I finally got a customer, and I'm trying to convince them to let me add SSL encryption, but they don't want the extra costs involved, that hosting providers tend to charge.
I don't really know of many hosting providers, as I run my own server, so I was wondering if people could recommend anyone that can let me run a nodejs backend, using mongodb?8
"We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4"
Let's see how this unfolds. While there is chaos I trink some tea and laugh, because I never send critical information over e-mail. 🧐🍵4
Last employer -- a major health care insurance carrier -- had over a million current and former subscribers data in SQL database with no encryption on SSN or other personally identifiable information. I reported this as an issue, and was told that since they had intrusion detection, etc. they don't need to encrypt the data. Guess they have never heard of zero day vulnerabilities or disgruntled employees?
Only last month I removed a file called 'statuspage.aspx', this file has been sat there for years on our customer sites.
The file did one simple query on the database to ensure connectivity, this query dumped the admin username and password to the page, no encryption.
Needless to say we rolled out ab emergency update... Not quite sure how that made it through QA!
How should I start off with end to end encrypted applications for the web.
Anybody has any known examples or starter repos I could start off with :)
Ah the permanent role joblisting converted into a year contract proposal ... They must have used the wrong encryption type :/
Which encryption library do you people use with c/c++? I'm trying to use openssl but well there is more documentation about how to replace my own heart in the dark than on that. Also most of the structs have missing declarations hell yeah its nice to have a EVP_PKEY but what's that? Oh I know it's a evp_pkey_t and what's that? Nothing apparently. Comments? You kidding??? A proper library doesn't have them...3
This shithead continuously wasted 2 lectures of CNS(Cryptography and Network Security) on debating: in a link to link encrytion if encryption and decryption takes place on every node, what if attacker attacks the node while the data is decrypted.
Though I couldn't care less about the lecture but this guy brings the same issue in every lecture
Do anyone have any idea about the link to link encryption?
I know already it encrypts the whole packet with header and on each hop the data is decrypted and the destination ip address is fetched and encrypted again, but i don't know if it's possible to perform an attack on the decrypted data.3
Can anyone explain indepth details about ransomware like it is just a normal encryption one or it is affecting the windows kernel ?
Try to enter a new password limited to 16character ... Why ... Password is use to be secure with encryption. Someone can explain!3
Has anyone here gotten a VeraCrypt to encrypt a Windows partition, on a dual booted machine with Linux. I boot into Grub to pick the partition. VeraCrypt has the "Multi-boot" option greyed out.
Have been searching on this topic alot lately, but I cant find any good solution, in my opinion.
I have a system where I want to encrypt some data in the database, so it isn't in plain text, but how would you do it properly?
It has to be decrypted to view the data in the system, but how to manage it?
How can I store the keys in the right way? In my current trial, I have a encryption key and an iv, but wouldn't it be wrong to store the encryption key in the config file?
Can't really see how to grasp this the right way and in the same way have it as secure as possible.
Is it just stupid in general?
Anyone else get the mind of a angsty college student without coffee?
I just had trouble describing asynchronous encryption
Ok, so for past 1 whole day I am trying to make vhost work on my brand new laptop, running Ubuntu 16.04 LTS... When I installed OS, I've set hard disk encryption, and on top of it - user home folder encryption. Don't ask me why I did both.
Setting up vhost is simple and straight forward - I did it hundreds, maybe thousands of times, on various Linux distros, server and desktop releases alike.
And of course, as it usually happens, opposed to all logic and reason - setting up virtual host on this machine did't work. No matter what I do - I get 403 (access not allowed).
All is correctly set - directory params in apache config, vhost paths, directory params within vhost, all the usual stuff.
I thought I was going crazy. I go back to several live servers I'm maintaining - exactly the same setup that doesn't work on my machine. Google it, SO-it, all I can see is exactly what I have been doing... I ended up checking char by char every single line, in disbelief that I cannot find what is the problem.
And then - I finally figured it out after loosing one whole day of my life on it:
I was trying to setup vhost to point to a folder inside my user's home folder - which is set to be encrypted.
Aaaaaand of course - even with all right permissions - Apache cannot read anything from it.
As soon as I tried any other folder outside my home folder - it worked.
I cannot believe that nobody encountered this issue before on Stackoverflow or wherever else.9