Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Search - "private and public keys"
-
we had this guy once, who we gave access to our private repo. everything's all good until we noticed that our amazon bill was USD 8,000+!!! we found out that lots of servers got created and that's bec. this guy forked our private repo and his fork was a public one. our keys were still not in .env files and were part of the commit so some bot got hold of it and accessed our amazon account. we suspected that the servers were used for bitcoin mining. anyway guy was fired on the spot and we also learned our lesson to keep keys out of repos.14
-
I think I will ship a free open-source messenger with end-to-end encryption soon.
With zero maintenance cost, it’ll be awesome to watch it grow and become popular or remain unknown and become an everlasting portfolio project.
So I created Heroku account with free NodeJS dyno ($0/mo), set up UptimeRobot for it to not fall asleep ($0/mo), plugged in MongoDB (around 700mb for free) and Redis for api rate limiting (30 mb of ram for free, enough if I’m going to purge the whole database each three seconds, and there’ll be only api hit counters), set up GitHub auto deployment.
So, backend will be in nodejs, cryptico will manage private/public keys stuff, express will be responsible for api, I also decided to plug in Helmet and Sqreen, just to be sure.
Actual data will be stored in mongo, rate limit counters – in redis.
Frontend will probably be implemented in React, hosted for free at GitHub pages. I also can attach a custom domain there, let’s see if I can attach it to Freenom garbage.
So, here we go, starting up modern nosql-nodejs-react application completely for free.
If it blasts off, I’m moving to Clojure + Cassandra for backend.
And the last thing. It’ll be end-to-end encrypted. That means if it blasts off, it will probably attract evil russian government. They’ll want me to give him keys. It’ll be impossible, you know. But they doesn’t accept that answer. So if I accidentally stop posting there, please tell my girl that I love her and I’m probably dead or captured28 -
When I think "the fundamental problem", the closest thing that comes to my mind is "unsolvable problem". P =/!= NP is a fundamental problem, the theory of everything is a fundamental problem.
But we actually solved at least one such problem – the fundamental problem of cryptography.
The problem was "how to establish a secure connection over a non-secure channel?" Like you can't exchange the key, it'll be exposed by definition.
We solved it with a simple yet brilliant solution of asymmetrical cypher, that thing with public and private keys.
It's fascinating to think that people died in WW2 over this, there were special operations to deliver fresh deciphering keys securely and now SSH and HTTPS are no-brainers that literally everyone use.10 -
Very eventful day, please see enclosed several smaller rants.
===================
My college's systems are shit and not only do they use HTTP for everything, even the stores and financial aid purchase system, they have homebrew JS shit for PGP site encryption (nifty...), but they exchange the PRIVATE KEYS instead of the public keys. Over HTTP. Not even HTTPS. Also if you log in more than 10 times in 24 hours it's supposed to lock you out of your account until you call... except it locks EVERYONE out. Found this out when on campus, trying to get my textbooks, when suddenly everyone had login lockouts because i'm a "paranoid bastard" and "afraid of idiot college students" for not telling a PUBLIC PC to remember the one password (enforced by password auto-sync across all their shit, not ideal, no) guarding my SUPER-SENSITIVE FINANCIAL AND ACADEMIC DATA... among the other hundreds of issues this college has. I now see why this college is the only one I can afford...
===================
Can't pass-through raw DVD drive access to VMs as VM managers crash when I try (yes, even QEMU...) so i've gotta install Windows on a shitty 80GB laptop HDD for literally one quick project. On the bright side, if my theory proves correct, you'll no longer need modchips for PS2s.
===================
Found a couple odd lines in my xscreensaver config:
GetViewPortIsFullOfLies:False
nice: 10
pointerHysteresis: 10
the first 2 I can't seem to figure out what do, and the last taught me a new word. Fun!
===================
that's it, it's over, why are you still here11 -
#justAthought
I was reading about public and private keys yesterday, and i had a thought: don't you think the concept of "username" is being so badly misused?
It can act as a great firewall, but we are just misusing it as an alternative to "login via email", because we are now so dumb to remember our email.
You might think of my rant as being going back in time, but think about this: my profile shows the name titanlannister. if someone got access to my password, he/she can immediately take over my complete identity because devrant allows us to login via username/password combo.
Now think of this: my username shows titanlannister. Anyone of you can write a post and mention me via @titanlannister, and this system will notify me. However even if you get my password, you are unable to hack into my profile, because my profile is only accessible via my email id/password combo, which you still don't know.
This, I would call as Platform Public Key which adds a kind of semi firewall over default public/private key combination .
What do you think?5 -
The only way I can edit Puppet config files is by git. And the only way I can git pull/push/commit/etc is generating a ssh key with a private key and give my public key to my supervisor to the git server (wherever that may be).
Because I'm on Windows 10 and screwed up my installers, I completely forgot to backup my ssh keys before resetting it. FML2 -
My friend said I should make some of my old dead projects public (after removing passwords or api keys) even if they were badly done at least to show growth and development to recruiters.
I don't know though, I had a ton of random projects most I didn't bother with good practices assuming I'd be the only person to see the code, or telling myself I'd fix it later though eventually letting the project die for various reasons
should I really make bad projects public or should I keep them private waiting for a slim possibility of me reviving them.4 -
I've been working for so long with API integrations and one part of that is security. We perform ssl key exchanges for 2-way verification and a large percent of those partners provides me with their own pkcs12 file which contains their private and public keys! What's the sense of the exchange!? I think they just implement it just to boast that they "know" how ssl works,
-
Q.14 - Suppose that R sends a msg 'm' which is digitally signed to M and the pair of private and public keys for M and R be denoted as K(x)- and K(x)+ for x=R,M respectively. Let K(x)(m) represent the encryption of 'm' with a key K(x) and H(m) is the message digest. Which of the following is the way of sending the msg 'm' along with the digital signature to M?
A. [m, K(R)+(H(m))]
B. [m, K(R)-(H(m))]
C. [m, K(M)-(H(m))]
D. [m, K(A)+(m)]
E. WOW, REALLY ?5