#cybersecurity

It's python so

Script able

yea

The Funimation app is a damned black box in terms of figuring out what's actually playing

for your case it might be easier to find a debugger with a python API
but not sure, you could write your own thing too

good learning experience

Oh that's a good point

Might focus on getting a transparent proxy setup tho

Sniff dat traffix

oh yea, that's always fun
i usually start with that since reverse engineering is a pain most of the time

it's easier to get what you want out of the traffic

you could check out burpsuite, ZAP or mitmproxy
personally i use mitmproxy, which has a python API and an easy way to install CAs

Yeah

I got it working as a proxy, but realized I need a transparent one

And doing that on Windows seems to be more complicated than just doing it on one of my laptops with Linux

ah yea, you can just force everything into it and it will act like one

it's easy on android with the VPN thing

and linux

Yes

So hoping I can see what protocol they're using

Like Jesus christ I just need the show, season, episode name, some art, and the current duration

But I don't think the obfuscation is intentional

most likely not

is it not just HTTP?

HTTPS

@thorn obsidian because it's against our rules, not because it's hard

is it?
what rules?

rule 5 that covers explicitly ToS and policy violations for external services https://pythondiscord.com/about/rules

oh ok

True

However, this is #cybersecurity, where the line of Rule 5 is danced upon daily

sure, and as a general topic memory injection is fine, but we'd rather not have to drag the server as a whole out of any holes dug for pissing off game devs

Any sort of Reverse Engineering or hacking has a high likelihood of violating a ToS/EULA/whatever somewhere.

Yes, I agree

Which is why it's a line we dance 😉

Directly hacking a game to add a extension, especially if it's something against the spirit of a game (like a cheat or related modification), is definitely on the wrong side of that

Just use cloudflare

if you're just wanting to use it locally, just listen on 127.0.0.1 then theres no way to connect to it from outside your network for your IP to get leaked

@solid jewel I mean you could use a DDNS

But you can't hide your IP anyways.

Cause you can just ping it

You could probably host it on heroku free tier

just use cloudflare

it's easy and just works™

gdude - Yesterday at 17:24
Just use cloudflare
bär - Yesterday at 17:26
wouldn't I need a domain to use cloudflare?```

I am using Selenium for some testing, however I can see that there is an extension called "Chrome Automation Extension", I am not a fan of extensions as they have way too broad access to my data, can I remove this extension and still use Selenium?

I think in that case you can use it with FF

I am sorry I dont know what FF means?

Firefox

ah, but I wont be able to use it with Chrome?

I think you need the chrome driver to use it with chrome

hmm

https://github.com/rapid7/metasploit-framework/pull/10335

=< 2.2.8

current is 3.0.3

debian and ubuntu are still on the 2.2.x versions afaik

plus probably some other distros, if you use Arch it should be fine

=< 😡

So what's the vulnerability? You run a untrusted video file and bad code executes?

I really dislike when people say "if you care about security stay away from X..."

If you really care about security, stay away from the Internet

Is this channel for Security generally, or for Security related things done with python?

i think general security is allowed here, yeah

except maybe how to drive securely...

😉

haha, make sure you check your door 2^32 times before you set off

If it looks like a duck and quacks like a duck, break for it like for a duck.

Ok, if general sexurity is allowed, how can i check who tries to connect to my vps? cuz i want to see who tries to hack me xD

is it really ```sh
cat /var/log/auth.log

?

no sexurity

Hahaha xD i've fatfingererd so bad

sry xD

i wont edit that message, this fail is legendary

...hope i dont get banned?

😛

but back to my question

how does this work?

SSH?

oh, yeah

i forgot to say that

There are a few logs I think, honestly don't remember

It's been years since I last cared unfortunately

and can i somehow see what passwords they used?

thx anyways

Looks like not by default

But there are ways around that: https://hackernoon.com/how-ive-captured-all-passwords-trying-to-ssh-into-my-server-d26a2a6263ec

Also somewhat unrelated but potentially of interest: https://github.com/foospidy/HoneyPy

thx

https://twitter.com/ChristoThurston/status/1021696925526122496 And that's why I don't use a quick scan credit card

(Even if it's easy to prevent, and easy to recover from)

the biggest threat to my card where I live is still skimmers mounted onto ATMs

:(

Yeah

I never use public atms, nor shop at fishy small places (using a terminal)

the insane part is how slim they are now

they used to be sorta covers that slipped around an existing ATM card slot

now they're little things that slide inside the actual card slot

Uh-oh

The smallest I've seen way about the size of the slot area

I mean, that one is fairly obvious

but a lot smaller

i always eye up the card slot before using an ATM

the first one you posted i've seen before

super sketchy

i imagine it's impossible to tell if there's one of these in there though

Might have like a visible metal piece at the top/bottom i'd assume

like slightly in there

pretty mental though

people making this hardware are sneaky

Needs to be extracted somehow, unless they use some form of key to extract it

Unless.. it's wireless

Then all hope is lost

i'd assume you'd use a tool to insert / remove it

glad i'm not American though

those fellas are only just getting chip and pin

Ouch

I don't recall having anything else?

Atm card and pin

they use magstripes

:o

which makes card cloning really fucking easy

although they have been shifting towards chip and pin in recent years

because banks don't like fraud i guess

¯_(ツ)_/¯

I always pull the slot to test it

when i use an ATM or something

I can't even remember the last time i used one

But i always think about scimming when I do

same

good thing very few of the crooks around here are stupid enough to try pulling it off for an extended period of time

it's more common to see them try and steal the whole fucking ATM

lol

https://www.bulletproof.co.uk/blog/expo-hack

cute little QR code hack

@silent pier "Unless.. it's wireless" AIUI wireless ones do exist - using either bluetooth, wifi, or SMS.

oof

Imma just not use my card anymore if that's alright

"hey can i wire the money to you for my groceries?... no?.. I'll just eat something of the street, that's fine!"

just put a large boulder in your front garden

then show them pictures of it

they'll believe you're good for it

(That was a legit form of currency on an island somewhere btw)

really they need to get rid of the magnetic stripe - even going to chip based readers won't stop skimmers from reading the stripe

yah

i don't think my card has been mag swiped in yeaaaaaars when using it

i get so annoyed when i see brand new machines (like the new AMC theater kiosks from like two years ago) that aren't even physically compatible with chip cards and would have to be redesigned

:/

it's strange how slow the US is to adopt it

Financial institutions in the US are reluctant to change and aren't fined for not doing so

unlike the literal rest of the world.

Most ATMs to my knowledge are still running on legacy OS (many were xp)

They aren't held liable when they fuck up lives

"You mean our gross negligence caused damage to a bunch of not-rich people? Lol oops"

Look at the Equifax breach

tbh

Not a single fucking thing done to those monsters. They even got more contracts from the IRS

Target's breach is a prime example of how Chip and Pin could've prevented massive fraud

For literally not upgrading their software after being WARNED of the potential

Exactly.

Loads of ATMs here are still XP Embed, but that's not really a massive problem

I guess the eco system is different in America

Retailers, Banks and card associations would all have to do some rolling out of crap

Retailers and card companys already get into fights over who pays for transaction fees etc

Could you imagine the fight over who pays for the roll out of millions of chip & pin machines?

:D

In either case, I'm tired of paying for their negligence lol

We have a national card association in the UK

Basically they set policy and everyone who's part of it has to follow

Is there any way to securely store users passwords on their ends?

I'm making a launcher for a game and want to have a save password feature so people don't have to input their password every time they log in

not really

i mean, all the usual ways of doing it, like password managers etc require them to enter a password

Yea

well

I was hoping that windows and mac may have had some sort of feature that would be similar to Android and iOS's fingerprint sensors

there's OS encryption on some systems which can be set up to just require the user to be logged in and not have their password reset by an admin

Yea something like that, I was thinking of

Where the encryption is on and OS level, and I don't have to deal with it

or using the macOS keychain

it may still prompt them for a password but it'd be their OS login password

Mhm

Well by not making them use their password you’re already kind of forgoing a bit of security. You could store a salted hash and just compare that to the db. It’s probably not the most ideal thing though

But blizzard has managed to do it somehow with their Battle.net launcher. Id look into that probably and see if you could find a way

Hmm

The launcher I'm making is 3rd party

So it needs to send the request to the server using a login API

Its a good idea but not possible in my scenario

On Ubuntu and probably most other Linux desktop systems, you can store secrets in the user's keyring, which is encrypted on disk and gets automatically unlocked when the user logs in to their system account.

Probably the same thing as Random said about Mac keychain

e.g. Chrome uses that for passwords too by default

or Wifi passwords

Yea thats what I was thinking of using

Though, the primary platform I'm using is windows

But i could support it on those platforms

you could also encrypt the passwords on their own system on windows using like RSA or Bcrypt or something, but its kinda risky I suppose

Looks like Windows does have some encryption tools

But they look like a PITA

There is some Encrypted File System, which seems to be outdated

And then there are some functions that work for windows 7 onward

Similar to the Keychains in MacOS and Linux

Also looks like they're very low-level and no one has made a library for python as of right now

You could write it using the api calls

I could

I don't know C though

Im sure its not that hard to just route the calls though

there's a python API for making system calls

Didn't know that

its pywin32 i believe

any thoughts on the T2 chip on the macbook ?

The T2 chip has a secure enclave processor, which is used to manage security keys. It also features a dedicated encryption engine for the SSD.

https://misc0110.net/web/files/netspectre.pdf
netspectre: read arbitrary memory over the network

https://labs.ripe.net/Members/vasileios_kotronis/artemis-neutralising-bgp-hijacking-within-a-minute

any thoughts about "Violent Python: A Cookbook for Hackers, Forensic Analysts, ...", is it worth it to read it in 2018?

alternatives?

i know KnownError (one of our mods) recommended that book

@safe bear sup?

@thorn obsidian yes, it's still worth reading even now

It's python 2.7 but the techniques and packages should still work with python 3

In fact, I think I did use 3 when I was doing teaching using it, just had to make a few changes

Any "Requests" lib experts?

http://sol.gfxile.net/dontask.html

I'm getting this when trying to post to a service (not sure how to format on here sorry)
("bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'sslv3 alert handshake failure')],)",)
the server, im trying to connect POST to only supports TLS
im trying to force use of TLS 1.1 through the PoolManager but the error still says ssl3?

The code

and SSLlabs https://www.ssllabs.com/ssltest/analyze.html?d=mss.cpc.getswish.net

Also, I can get a response with cURL thru the cmd, or a client like Insomnia, so the certificates are ok, but I just cant figure out whats wrong with requests....

the whole code of the file

https://paste.pythondiscord.com/apicirowaw.py

I've googled around for days, tried a lot of different approaches, but this sslv3 error is killing me 😦

heres the curl command also if it helps

curl -v --header "Content-Type: application/json" --request POST https://mss.cpc.getswish.net/swish-cpcapi/api/v1/paymentrequests --cert Swish Merchant Test Certificate 1231181189.p12:swish --cert-type p12 --cacert Swish TLS Root CA.pem --tlsv1.1 --data @old kite_data.txt

DEFCON is on next week. 👌

is his lordship gonna go there

no, but i'm gonna watch the shit out of it

I'll be there

Being antisocial

Just like half the attendees

And of course, the ever-present feeling of inferiority

This time though I'm definitely going to go hardcore on the IOT and possibly ICS villages

Might bring laptop with straight bare-metal Fedora or possibly Kali

Trying to do shit through a directly mapped interface into a VMware VM works, but it's a fucking pain

Gonna bring a laptop running barebones windows 98

Why

security through age

Exploits don't stop working

You should connect that to the DEFCON Open WiFi network and see how fast it gets owned

Though I feel there are some people who do exactly that just for kicks

Yeah I mean it would just be for kicks

So might end up bringing 3 laptops...

Debating whether to bring old HP with Fedora that's beefy but also big and heavy (and less than optimial battery life)

Or put linux on old Surface Pro 2

Which there's apparently an entire active subreddit dedicated to: https://www.reddit.com/r/SurfaceLinux/

BTW: https://www.humblebundle.com/books/cybersecurity-wiley-books

Hi

How do I force pythons Requests library to use TLS 1.1?
using Python 3.6 btw

http://docs.python-requests.org/en/master/user/advanced/#example-specific-ssl-version @rigid moon

You have to make a custom transport adapter

The link has an example, it's pretty straightforward

remember to only allow localhost when running stuff on Tor
https://twitter.com/ydklijnsma/status/1025796349541769217

also WPA has a new attack and OpenSSH RSA keys are kinda shit
https://latacora.singles/2018/08/03/the-default-openssh.html
https://twitter.com/hashcat/status/1025786562666213377

ed25519 ftw

@safe bear thanks for the reply, I should have elaborated as I did in my previous questions, if you scroll up just a little bit you'see see the screen and the code

I've tried with adapters, I've tried using urllib3 directly without requests. I've also tried specifying cipher suites as well

and I still can't make a POST to this damned service

using python

damn, still stuck on that?

have you tried setting up a new venv maybe?

or using a completely different computer

maybe setting up a vm

just throwing out options

gotta try to narrow down the issue

Yeh 😄 don't have another PC available at the moment

you could try a vm

probably

would be the smart thing to do

are you on windows rn?

if so, may even want to try another os

if it's possible, I can attempt to make a post request with your code tomorrow

on my machine

im on ubuntu 18.04

ah my bad

whenever I see PC I think of windows

even though I shouldnt

I'm basically trying to implement third party payment on my website

so i guess its kinda strict when it comes to security

which is good, but im too much of a noob still 😄

yeah fair enough

I suspected you wouldnt be able to just send everything over

but making a vm would be equivalent to having me try it

so just do that

i do get a different error now after reinstalling urllib3 and requests

SysCallError(104, 'ECONNRESET')

wasnt able to find anything that helps as it is quite a broad error

but a VM seems like the next logical step so thanks

that error seems like a step backwards lol

is it 😄

damn

i just mean that

it's less specific that what you had before

i guess, what I found out is that it basically just means that the connection was closed at an unexpected time

basically the server said - f*** off

could just mean that the connection timed out

it just baffles me how simple it is to call this via cURL, and yet all these libraries, openssl, pyopenssl, urllib3, requests cant do it...

might end up using curl in my code....

it's probably not that difficult and you're experiencing some strange error

that or there is some really crucial error in your code

but i wouldnt know

well i've used requests before successfully

but never to a service where i had to have physical cert files and a bundle file on the client computer

so i guess im doing something wrong here

python doesn't use the OS's cert bundle afaik

i thought i can pass the bundle file to the "verify" param?

and the cert to "cert"

I don't remember how it works, but don't rely on the OS cert stores

ok so I noticed this now

"If verify is set to a path to a directory, the directory must have been processed using the c_rehash utility supplied with OpenSSL."

i've obviously have not done anything like that to the directory im pointing the parameter to

..

i'll try a new VM anyway before trying anything else, maybe it'll just work straight after that, would not be surprised

venv*

well it says directory

you're pointing to a file

or rather you're supplying a path to a file

not to a directory

oh yeh ur right

@marble dawn would you able to recommend a website/book where I could get a good understanding of how certs are used in Linux? I'm quite lost right now

Gotta be honest, it's an area of security I try to avoid

because it really can be a pain

i can see that, I've been trying to read up on it but theres so much stuff I dont get

guess you just learn these type of things over the years

It's a very corporate thing to need

You see it a lot when you're working with Amazon services and projects like Elasticsearch

I dunno what was wrong with RSA keys, but whatever

https://blog.ungleich.ch/en-us/cms/blog/2018/08/04/mozillas-new-dns-resolution-is-dangerous/

as a security in-bred am i safe now?

for bigger picture..

looks right

huh, just found this. https://medium.com/@grandaddie11/hack-the-first-https-youtu-be-o4-2wss1dn8-dae8301ee71c

Eh

Yes.

and apparently this was that server's response, but it got deleted lmao https://medium.com/discord-bots/minor-security-vulnerability-reported-on-august-4-hacker-who-we-believe-to-be-cory-redmond-20aa9978e513

Oh wait that was a story

I just read the picture chat

oh yeah it's an article.

lemem get into it then :P

oh, they made another response https://medium.com/discord-bots/minor-security-vulnerability-reported-on-august-4-2e2d92269488

@rigid moon iirc you can manually specify the cert paths to use in requests and urllib3

Check the docs, I'm on phone right now unfortunately

http://docs.python-requests.org/en/master/user/advanced/#client-side-certificates

Unless of course I'm misunderstanding the issue

I dont know who to lean towards in this case

Mostly cause I don't know if this "local change" is true or not

yeah, exactly. they've given no evidence that it's actually been fixed though, so that's why i believe the first story more.

Yeah

nice security thing for the discord bot

i've broken a few of them and never had someone get that angry

Bots involving paying?

ye

Some people are louder than others ¯_(ツ)_/¯

    @commands.command(name='calc', aliases=['calculate'])
    async def calc(self, ctx, *args):
        """A simple command which does calculations.
        Examples:
        /calc 6 * 4 -- multiply
        /calc 6 + 5 -- add
        /calc 8 / 2 -- divide
        /calc 6 - 4 -- subtract"""

        if len(args) > 10:
            await ctx.send("That calc is to long!")
        test = " ".join(args).split()
        for item in range(0, len(test)):
            if item % 2 == 0:
                pass
            else:
                if test[item] not in self.operators:
                    await ctx.send("Nice try :>")

        for item in args:
            try:
                int(item)
            except Exception:
                if item not in self.operators:
                    title = f"{item} is not a valid operator or number"
                    text = "Do another calc with `/help calc`!"
                    embed = await store.embed(ctx, self.bot, title, text)
                    await ctx.send(content='', embed=embed)
                    return
                else:
                    pass
        try:
            total = eval("".join(args))
        except ZeroDivisionError:
            await ctx.send(content="Don't try and divide by zero please ;D")
            return

Break my code!

!calc 01 ?

!calc 01 + 0

And I guess it'll probably fail on stuff like 1 / 0

@thorn obsidian edited the new version

So

How does the new version give you the result?

All of us using Linux 4.9+ might be interested in this: https://www.kb.cert.org/vuls/id/962459

@cedar pelican

@thorn obsidian it says dont divide by 0 please

what if what I input is correct

where does the bot say the result xd?

@thorn obsidian what do you mean?

!calc 1 + 1

I dont see any ctx.send(f'Ur result is {result}')

https://sharpweb.me.uk/i/5stp1.png

I haven't show thw whole func

You might want to give the full snippet

Why?

The rest doesn't include anything except the send

if is_virus:

delete_virus()

SyntaxError
SpamError

i just put the whole computer security industry out of buisness

most of it security isnt really about deleting viruses

that was a joke if you didnt know

yes but

this is an on topic channel

@cedar pelican Did you check for 0 input, or just say "pretty please dont divide by 0"

@silent pier it checks

I got rid of it anyways

So xd

Two days till DEF CON kiddos

?

https://portswigger.net/blog/bypassing-csp-using-polyglot-jpegs

https://medium.com/@vesirin/how-i-gained-commit-access-to-homebrew-in-30-minutes-2ae314df03ab

https://twitter.com/zer0pwn/status/1026633744164302848

some snapchat source code
https://github.com/DzMohaipa/Source-SCCamera

linux kernel TCP denial of service
https://www.kb.cert.org/vuls/id/962459

https://blog.varonis.com/koadic-lol-malware-meets-python-based-command-and-control-c2-server-part-i/

https://www.jimwilbur.com/2017/10/wdigest-clear-text-passwords/

this is pretty interesting

on another note bugcrowd does some security courses now
https://www.bugcrowd.com/university/

Another day another slew of enterprise IT issues

Ho hum

yup

security is a meme

https://medium.com/@CPP_Coder/android-operating-system-one-potential-vulnerability-per-4000-lines-of-c-code-85041585927b

https://twitter.com/zemnmez/status/1027386520519499776?s=19

keep seeing things that make me glad I chose KeePass

i can post some things that would make you wished you used something better i guess

https://www.cvedetails.com/product/23054/Keepass-Keepass.html?vendor_id=12214

RCE in 2017

they haven't been audited and their code has some clunky old areas

would probably be careful with any of the web integration

also this happened
https://hotforsecurity.bitdefender.com/blog/hacker-demands-nothing-after-infecting-hong-kong-department-of-health-with-ransomware-20187.html

Anything interesting for bitwarden?

I wouldn't consider using keepass personally

i haven't seen much on bitwarden, but it's maintained by a company that looks reputable

personally i just use https://www.passwordstore.org/

I needed the org support, and the TOTP support is pretty nice

ah

yea, bitwarden is very nice

https://rhinosecuritylabs.com/aws/cloudgoat-vulnerable-design-aws-environment/

https://hackernoon.com/bluetooth-hacking-cheating-in-elliptic-curve-billiards-c092fdf70aae

https://github.com/Neo23x0/munin/

Interesting

But I'm not worried

Two of the 3 cve's were for keepass 1

the other is for 2 but is just a man in the middle for auto updates

which i dont enable anyway

i know the first two are too old, but the CVE with updates is notable since it's networking

there were issues since keepass1 with networking that kinda followed the project

look into their weird HTTP server API thing more, that was full of bugs

what thing is that?

can't remember exactly, it's some feature they had until recently that allowed applications to interact wiith keepass and request passwords or something

well I know there's a plugin for that

https://github.com/pfn/keepasshttp

dont use it though

here are some other things noted in 2015, i forgot they basically ignored the fact that HMAC exists for a while
https://news.ycombinator.com/item?id=9727297

it's quite possible that the project has grown better since these exploits/issues but idk

personally still wouldn't use it

too lazy to do source code review

I'm not stubborn I'm always open to switch to something else

it's up to you, i don't think keepass is horribly insecure but i feel like it's probably not a good option

I'm currently a dirty windows user though

as mentioned above bitwarden is cool

Yeah fair enough given their history

I'll look @ bitwarden

works on windows with pretty UI and security capable team behind it

plus it's opensource

yeah keepass ui is ugly

@thorn obsidian keepasshttp is deprecated iirc, keepassxc has a new thing

yea but they continued to include it by default until 2017

¯_(ツ)_/¯

plus they weren't even compiling their code with errors or address sanatization for a while

https://github.com/keepassxreboot/keepassxc/pull/363

what kind of security project ignores address sanatization compile flags? worse yet, ignores warnings from the compiler?

hmm

well i‘ve been using keepassxc for a while now

initially used 1password but its a subscription model

kpxc works very very nicely

idk why I'm so hesitant about having it all be on the cloud like with bitwarden

iirc you can do a local archive

it all has good encryption but I still feel uneasy about it

that's good to know

i know for a fact you can deploy it locally within your own network, but i think you can also just do a completely local archive

I should still have it on the cloud for off-site backups

and to make it convenient to use on mobile

i haven‘t felt the need to sync my passwords over the cloud

even if, my kpxc database is in my icloud drive

yeah neither have I

but I don‘t use 99% of my passwords on my mobile device

i mean, if you want consistent mobile/laptop support it's a must

but for that a friend told me you can use syncthing (p2p file sync) and just have it sync up when the devices join the same network

so when you get home everything can sync

without servers

with what?

keepass or bitwarden?

it should work with both

he uses pass, same as me

syncthing only cares about files

just sync the entire archive

out of curiosity

do you encrypt your backups and if yes, how?

currently i do filesystem encryption on important documents

but the drives i'm using for backups aren't FDE

for various reasons, mostly compatability and because they're old drives

ah

mine aren‘t either, but they‘re encrypted and the checksum is verified where applicable

thinking about outsourcing to cloud as a second backup solution though

backup to the backups

hmm

do you currently have any off site backups?

nope

same

technically no, i like to keep my drives with me

unless i leave my rpi at home haha

if the house burns down oh well

then technicallyyes

are all your backup drives always connected to your system?

lol no

they're offline backups

mine are never, but the drive is always connected to my rpi

backup runs via ssh

but i've been looking at stuff like siacoin for a while now, had my eye on it since early last year, been thinking about using it to backup stuff for cheap

https://sia.tech/

surprised it didn't blow up as much

I had some friends riding on that

it should have tbh

soneone recommended me acloud provider named rsync

waiting for filecoin, IPFS powered stuff, they're taking forever to launch

brb

i've seen rsync but i wouldn't use them tbh

p2p distributed encrypted storage > centralized datacenters

it's cheaper anyway

https://www.bleepingcomputer.com/news/security/microsoft-edge-flaw-lets-hackers-steal-local-files/

do you just spend a few hours every day reading these 😄 ?

you must have some news feed for these set up, right?

i don't have any custom news feeds

i just hang around lots of security people

although i should make some RSS feed readers, i was going to at some point

but yea i spend like 4 hours a day reading about security tbh

i still have like 6 articles i'm reading

https://asciinema.org/a/rIpkR5Wjztl5Ac6vsf5uGT6vC

https://motherboard.vice.com/en_us/article/a3q7mz/hacker-allegedly-stole-millions-bitcoin-sim-swapping

tbh the sad part about all of this is that everything i've posted is like a week and a half of news

not even digging into old stuff, it's all very recent

sim swapping is basically social engineering yeah?

CC backups: https://www.reddit.com/r/linux/comments/42feqz/i_asked_here_for_the_optimal_backup_solution_and/czbeuby

i gotta figure out my backup sitatuation

it's pretty manual right now

2 cents per GB/month - 40 GB minimum, paid annually

if you use borg / attic only that is

taken from https://www.rsync.net/products/attic.html, interesting

just thinking about it gives me a headache 😩

guess that's why I haven't bothered

@north rover sia is like 0.05c per TB per month

something close to that anyway

network has 4.6 PB of storage

wat

ye you could store a couple TB for like $2

last i checked

what do you guys do for data redundancy btw?

um

well, my documents are in iCloud Drive and in my backups, so those are somewhat redundant-ized I guess

apart from that not much

I've looked into stuff here and there

drives arent that expensive these days

this talk has stirred up some motivation to figure this stuff out

I need to find people to flood with my questions

or find good resources to read

on creating a home backup solution

I don't need to be ultra paranoid or have enterprise level backup solution

@thorn obsidian Elliot Alderson...No wonder you're here
You seems to be security enthusiast

Figures the one week I don't check the weekly US-CERT email there are KeePass vulnerabilities

Oh, wait, never mind

1 CVE in 2012, 2 in 2017

That seems pretty good to me

oh you use KeePass too?

Been using it since like 2010-11-ish

whoa nice

ooh good word 👌

I really wanna use KeePass but I'm too lazy, which sure as hell is probably the dumbest reason not to use some extra security lol

My issue with KeePass though is like, what do I do if I'm not on my home computer and need to log onto something? How do you KeePass users generally handle that?

Ok, so here's my current system

(I use OneDrive myself)

..Damn

@safe bear Can you expand on the "I also have KeePass configured to use a secure desktop for password entry" 😃

Tools -> Options -> "Enter Master key on Secure Desktop"

https://keepass.info/help/base/security.html#secdesktop

https://keepass.info/help/kb/sec_desk.html

Ooooh, cool, wasn't aware of that at all, thanks my friend 😃

It's the same system Windows UAC uses to prevent malware from tricking you into clicking "Yes" at admin prompts

Honestly, it should be enabled by default

Err, one last question if you don't mind, you mentioned LastPass, how does that come in play? I googled LastPass quickly but I'm not sure how it fits in into the whole workflow 😄

So I don't have to open KeePass and copy all the time

I can just click the little button on the form fields

Oh, I see

Damn, that's a hell of a setup you got there bud

Making me feel like some technology illiterate person

It's been built up over 6-8 years so

Added lastpass about 2 years ago

You are an inspiration, thank you.

haha

Well, glad it's inspiring people to good security 👍

😄

yea i posted those when i was talking about it's security @safe bear

https://www.wired.com/story/pacemaker-hack-malware-black-hat/amp

@thorn obsidian Directly into device...wow

yea

Are you a security analyst?

@thorn obsidian

no

i just read stuff and try not to get arrested

harder than it looks™

+1

Any advice to this newbie?

idk, depends on what you're doing

A cyber security enthusiast

Try some CTF's

Do a bunch of reading about stuff

Grasp the common attack types

idk

I've just been reading some of the DEFCON slides :3

There's going to be a cool talk on Fax still being a thing

Looks like there's a nice one for shell commands / useful things in it

I suspect the one on domain / certificate registration will be interesting too

https://www.vulnhub.com/

If you were interested in doing some CTF type stuff

@lusty flare Yup, I know about CTF
Thanks for information

i wouldn't go with vulnhub, the systems get old and repetitive very quickly
UnknownError showed me this last year, very great tool
https://github.com/cliffe/SecGen

Insecure?

yes, it's basically a personalized CTF generator

it creates systems with intentional exploits and you get to find them

Oh...a practice environment

Wow

Thanks, I owe​ you

nah, public information is free

when you work up some skills check out https://hackthebox.eu/ too

apart from that i recommend reading up on OWASP top 10 exploits

and how they work

https://www.owasp.org/images/7/72/OWASP_Top_10-2017_(en).pdf.pdf

OWASP Top 10 2017 The Ten Most Critical Web Application Security Risks

this is a lot of info so feel free to take some time

Okay,on it

Thanks again

ah nice @thorn obsidian

Well,is it possible to make a ransomware (just for test don't ban me mods) in python?I know C and C++ are consider for malware development

But can we?

Malware is anything that harms the user. So yes, surely you can program something harmful in every language.

bet you could write it in bash

someone does a remote shell execute

all of a sudden

ransome'd

sure

niché way to deploy ranware

:D

Hell I remember old batch script malware

What type of?

Any cyptoanalyst?
I have a encrypted message and I'm trying to solve it but I can't

You can just post it here or in one of the off-topic channels and see if somebody can solve the challenge.

Don't expect too much though.

@upbeat palm no need to wait for somebody just post your question, if somebody knows the solution he will tell you

@orchid notch I didn't get it..you mean I don't have to rely on someone for every answers
You're right, Thanks

Will post in a minute

05171606.05161220.16'12.1810161118.0510.132005.1605.241313.22101220.100405;.05171606.05161220.1612.1810161118.0510.0605241121.0409.241121.0617100405;.16.22072422142021.05171606!.
Encryption consist on 1 negative number 1 neutral number and all others are positive numbers.

@upbeat palm what kinda encryption is that

Can't be binary 🤔

Hm

Looks like a key is needed

I'm also confused

I think I have to decrypt it by applying some freaking logic
You play CTFs?

@upbeat palm thats a text consisting of a row of 2 digit pairs, i guess the 16'12 could be an I'm. And if 16 is the i 1605 might be an is? so i guess its just substitution of letters with numbers in a certain pattern. About the pattern im not sure

Yeah, Nix' guess seems pretty reasonable so far.

It's not a simple caesar cipher though, where we just have a constant offset for all letters.

Here would be the output assuming two-digit pairs and a constant offset on the latin uppercase alphabet:

0 FRQG FQMU Q'M SKQLS FK NUF QF YNN WKMU KEF; FRQG FQMU QM SKQLS FK GFYLV EJ YLV GRKEF; Q WHYWOUV FRQG! 
1 GSRH GRNV R'N TLRMT GL OVG RG ZOO XLNV LFG; GSRH GRNV RN TLRMT GL HGZMW FK ZMW HSLFG; R XIZXPVW GSRH! 
2 HTSI HSOW S'O UMSNU HM PWH SH APP YMOW MGH; HTSI HSOW SO UMSNU HM IHANX GL ANX ITMGH; S YJAYQWX HTSI! 
3 IUTJ ITPX T'P VNTOV IN QXI TI BQQ ZNPX NHI; IUTJ ITPX TP VNTOV IN JIBOY HM BOY JUNHI; T ZKBZRXY IUTJ! 
4 JVUK JUQY U'Q WOUPW JO RYJ UJ CRR AOQY OIJ; JVUK JUQY UQ WOUPW JO KJCPZ IN CPZ KVOIJ; U ALCASYZ JVUK! 
5 KWVL KVRZ V'R XPVQX KP SZK VK DSS BPRZ PJK; KWVL KVRZ VR XPVQX KP LKDQA JO DQA LWPJK; V BMDBTZA KWVL! 
6 LXWM LWSA W'S YQWRY LQ TAL WL ETT CQSA QKL; LXWM LWSA WS YQWRY LQ MLERB KP ERB MXQKL; W CNECUAB LXWM! 
7 MYXN MXTB X'T ZRXSZ MR UBM XM FUU DRTB RLM; MYXN MXTB XT ZRXSZ MR NMFSC LQ FSC NYRLM; X DOFDVBC MYXN! 
8 NZYO NYUC Y'U ASYTA NS VCN YN GVV ESUC SMN; NZYO NYUC YU ASYTA NS ONGTD MR GTD OZSMN; Y EPGEWCD NZYO! 
9 OAZP OZVD Z'V BTZUB OT WDO ZO HWW FTVD TNO; OAZP OZVD ZV BTZUB OT POHUE NS HUE PATNO; Z FQHFXDE OAZP! 
10 PBAQ PAWE A'W CUAVC PU XEP AP IXX GUWE UOP; PBAQ PAWE AW CUAVC PU QPIVF OT IVF QBUOP; A GRIGYEF PBAQ! 
11 QCBR QBXF B'X DVBWD QV YFQ BQ JYY HVXF VPQ; QCBR QBXF BX DVBWD QV RQJWG PU JWG RCVPQ; B HSJHZFG QCBR! 
12 RDCS RCYG C'Y EWCXE RW ZGR CR KZZ IWYG WQR; RDCS RCYG CY EWCXE RW SRKXH QV KXH SDWQR; C ITKIAGH RDCS! 
13 SEDT SDZH D'Z FXDYF SX AHS DS LAA JXZH XRS; SEDT SDZH DZ FXDYF SX TSLYI RW LYI TEXRS; D JULJBHI SEDT! 

14 TFEU TEAI E'A GYEZG TY BIT ET MBB KYAI YST; TFEU TEAI EA GYEZG TY UTMZJ SX MZJ UFYST; E KVMKCIJ TFEU! 
15 UGFV UFBJ F'B HZFAH UZ CJU FU NCC LZBJ ZTU; UGFV UFBJ FB HZFAH UZ VUNAK TY NAK VGZTU; F LWNLDJK UGFV! 
16 VHGW VGCK G'C IAGBI VA DKV GV ODD MACK AUV; VHGW VGCK GC IAGBI VA WVOBL UZ OBL WHAUV; G MXOMEKL VHGW! 
17 WIHX WHDL H'D JBHCJ WB ELW HW PEE NBDL BVW; WIHX WHDL HD JBHCJ WB XWPCM VA PCM XIBVW; H NYPNFLM WIHX! 
18 XJIY XIEM I'E KCIDK XC FMX IX QFF OCEM CWX; XJIY XIEM IE KCIDK XC YXQDN WB QDN YJCWX; I OZQOGMN XJIY! 
19 YKJZ YJFN J'F LDJEL YD GNY JY RGG PDFN DXY; YKJZ YJFN JF LDJEL YD ZYREO XC REO ZKDXY; J PARPHNO YKJZ! 
20 ZLKA ZKGO K'G MEKFM ZE HOZ KZ SHH QEGO EYZ; ZLKA ZKGO KG MEKFM ZE AZSFP YD SFP ALEYZ; K QBSQIOP ZLKA! 
21 AMLB ALHP L'H NFLGN AF IPA LA TII RFHP FZA; AMLB ALHP LH NFLGN AF BATGQ ZE TGQ BMFZA; L RCTRJPQ AMLB! 
22 BNMC BMIQ M'I OGMHO BG JQB MB UJJ SGIQ GAB; BNMC BMIQ MI OGMHO BG CBUHR AF UHR CNGAB; M SDUSKQR BNMC! 
23 COND CNJR N'J PHNIP CH KRC NC VKK THJR HBC; COND CNJR NJ PHNIP CH DCVIS BG VIS DOHBC; N TEVTLRS COND! 
24 DPOE DOKS O'K QIOJQ DI LSD OD WLL UIKS ICD; DPOE DOKS OK QIOJQ DI EDWJT CH WJT EPICD; O UFWUMST DPOE! 
25 EQPF EPLT P'L RJPKR EJ MTE PE XMM VJLT JDE; EQPF EPLT PL RJPKR EJ FEXKU DI XKU FQJDE; P VGXVNTU EQPF! 

Now the digit pairs range from 4 to 24...

with this distribution:

Counter({5: 12, 16: 11, 10: 7, 6: 5, 12: 5, 20: 5, 11: 4, 17: 4, 18: 4, 24: 4, 4: 3, 13: 3, 21: 3, 22: 3, 7: 1, 9: 1, 14: 1})

@upbeat palm What do you mean by "Encryption consist on 1 negative number 1 neutral number and all others are positive numbers."? Also is there any context or additional info about the message? Can we assume it is English?

Also note how the first half of the first tow phrases is the same

 5 17 16 6   5 16 12 20   16 ' 12   18 10 16 11 18   5 10   13 20 5   16 5   24 13 13   22 10 12 20   10 4 5 
 5 17 16 6   5 16 12 20   16 12   18 10 16 11 18   5 10   6 5 24 11 21   4 9   24 11 21   6 17 10 4 5 
 16   22 7 24 22 14 20 21   5 17 16 6 !  

(except the apostrophe missing in the second)

Well.... solved it @orchid notch @upbeat palm 😁

how @tight abyss

The key is

{4: 'U', 5: 'T', 6: 'S', 7: 'R', 9: 'P', 10: 'O', 11: 'N', 12: 'M', 13: 'L', 14: 'K', 16: 'I', 17: 'H', 18: 'G', 20: 'E', 21: 'D', 22: 'C', 24: 'A'}

roll face on keyboard
makes sense?
???
success!

THIS TIME I'M GOING TO LET IT ALL COME OUT; THIS TIME IM GOING TO STAND UP AND SHOUT; I CRACKED THIS! 

I'll give creds tho, that's pretty cool

as you guessed, substitution cipher on pairs of two digits

After I had the list of numbers, it was mostly building a dictionary and trying some values to form words

common English letters and the number distribution in the message helped

but after a while I got annoyed and simply threw it into https://www.guballa.de/substitution-solver

worked 👍

Did not even know github did that, cool

its new

Still cool

I give it a 👍🏾

Wow

Well done

the decryption or github?

we have linters for this too

@orchid notch the decryption

@tight abyss Goddamn....Dude
You rock
Thanks Thanks Thanks

🔥

@upbeat palm What are some tools you use for privacy on the internet?

You mean like VPNs? @velvet isle

Yeah

Or proxy

Or pgp

And protonmail

I use NordVPN

👌

You use no script browser extension?

Jesus Christ Nord VPN

It's OP

I get commercials for that like every 2nd page I visit

@orchid notch ?

Lol

the other half is udemy..

^

Mobile OS - Resurrection Remix
VPN - NordVPN
Password Manager - KeePassX
Browser - Firefox & Firefox Focus
Search Engine - DuckDuckGo
Instant Messaging - Signal
XPrivacyLua and etc.

@orchid notch Really?

mhm

not happy

🤔

@upbeat palm can you give me some info on ressurection remix?

its a more configurable free custom ROM

Agh

It's a combination of several other ROMs @orchid notch +1

You'll like it
Which one you're using? @velvet isle @orchid notch

i used lineage until their were license conflicts on s7

now im back to stock

I have oreo

On my Galaxy S7

that is not a rom

thats an android version

Oh...Both S7...cool
Maybe he's using stock, I guess

as i see resurrection is gplv3 though

so it shouldnt have those conflicts

although gplv3 is a pretty viral license

like one part of your code is gplv3? everything must be changed to gplv3 according to gplv3

which was why lineage on s7 was discontinued

Seems to be... Although making ROMs are easy but debugging is the hard part
That's why your lineage os expired

no my lineage was 7.something and didnt get the 8 upgrade because of the device tree they used being under gplv3

and them not wanting to change the entire lineage codebase to that

parts of lineage are oreo nowdays

So...They discontinued your device ROM update...Fair move
Yup

yeah just mine

just mine 😢

always hits me

Is remix os for PC worth it ?

Like does it relate to vm's

Lineage OS is best but give try to others as well @orchid notch

Keep your os safe while using it

?

Read it back

I can't say it better

Oh,gotcha

https://thehackernews.com/2018/08/snapchat-hack-source-code.html?m=1
Anyone saw it?

Yes

It was deleted from GitHub

Due to dmca

Or something

Oh...

Yesterday I was watching "Who am I:No System is Safe" protagonist was damn cool... It's based on Hacking

A movie ?

Yup, German movie

I'll check it out

I got an invite of private torrent tracker every Udemy, Lynda, PluralSight etc. courses are available for download

Hmm

the movie gets a bit unrealistic at some point

Algorithm is a nice movie

It's real also

Yeah,a little confusing
At least a little catchy than Mr.Robot

I have CLRS in my Amazon cart 😂

well

oh

Damn

Algorithm is on YouTube

👌

paid yt i guess?

No

Freeeeee

Search for it

Gotta say 1st season of Mr.Robot was total confusing

3rd is

wow

2nd is FBI hacking

He hacked the FBI ?

That part was amazing

the 3rd season is the best for me

Yup,by writing malware in C and Darlene spread it with the help of Angela

@orchid notch Still stucked on 2😅

in the 3rd series theyll teach angela to "hack" and infiltrate the FBI again via placing some hardware n stuff

among other stuff

i lost track somewhere in two like 3 months ago so i just watched 2 and three in the last two weeks

FBI needs to be more conscious of their environment I think

Because in reality like that they get hacked

even in real life that wouldve been extremly hard to defend

dont know if this is considered spoiler but they bascially have their own floor inside a companies building angela works in so they teach angela to hack and she then places a femto cell to catch all the traffic and stuff from fbi mobiles on that floor

like @velvet isle how would you actively prevent somebody who has access to the building from placing a tiny hardware device on your floor

Hm

Depends

on what

I might have set up CCTV and a warning sign for whoever goes near the room

no no

its an entire floor

like just a big office floor

😳

Idk then

see

Scan everyone who enters the office

😂

Social engineering was the main attack😂

nah that was another attack

im talking about the one in season 3

Not that one.... I mean she manipulated that FBI guy who asked her for lunch... Remember?

She seduced him ?

wait

was the femto one in season 2

so hard to keep track of seasons when you watch 2 in 10 days

I never watched it before

@orchid notch Yup,he made it from a guy computer who hired him for transferring his website (Tor one)

did already get revealed what actually happened to elliot during that time?

Nope... Downloading E08
Main twist was all that time he's in prison...But why/how?

you actually wanna know that

or is that rethorical

Btw

Can rabb.it be used to keep your system private?

I wanna know

they caught him hacking something he said yep yep and yep to everything they accused him

=> prison

he wanted to go to prison

🤔

for

reasons

which make pretty much the story of season 3

it isnt actually clear anymore whos good and whos evil in s3 tbh

Oh..

there are three sides

Damn....So confusing
Have you watched Rick and Morty?

yes

some time ago

but thats not #cybersecurity anymore more like #ot0-fear-of-python

Lol

Yeah...😅

I'm out for now
Ciao @velvet isle @orchid notch
Take care

👋

i am actually surprised we didnt get shoo shhoed outta here when we started series talking

No one was awake, I guess😂

well

ok to be fair thane cant really be called awake even when he is online but still

That's moderator work...So they are busy

@orchid notch @upbeat palm @velvet isle

@storm yacht Umm...Sorry😅

Oh fuck it's Lucy

Her profile pic is intimidating😨

off-topic sooner next time, please

thank you

We will....And sorry again
@storm yacht

https://www.uib.no/en/course/INF143 uu, does this sound fun?

https://portswigger.net/blog/practical-web-cache-poisoning

@silent pier Online classes?

No, courses at my uni

Your University..wow

this paper title lol
Peek-a-Boo: I see your smart home activities, even encrypted!
https://arxiv.org/pdf/1808.02741.pdf

@thorn obsidian Cache poisoning,you tried?

have i tried cache poisoning?

paper is about metadata leaks in encrypted IoT connections btw ^^

above 90% accuracy on most stuff which is pretty crazy

it's getting real 👀
https://www.fifthdomain.com/global/europe/2018/08/07/german-cyberwarriors-assert-right-to-hack-back-when-attacked/

Heeeey it finally came true

They've been talking months about this

@thorn obsidian encryption algorithms were weak, I guess

nah

it's a side channel attack

the encryption works fine (not fully finished the paper yet)

Oh...

basically using stuff like data size analysis along with machine learning you can infer actions without decrypting anything

Hmm...like using other stuff time,cache data,power monitoring attacks?

yea basically

if the network traffic suddenly spikes every day at the same time it probably means your coffee machine just starting brewing the morning coffee, or the smart heater just kicked in, or the lights turned on

stuff like that

So basically the time and power consumption thing and other factors

Which will result in abnormal activity in IoTs

Using these factors to exploit IoTs

paper on abusing CTORS for anti-debugging in C
https://www.exploit-db.com/papers/13234/

CPU backdoors
https://twitter.com/xoreaxeaxeax/status/1027642170860163072

rip

An a bit reading makes everyone of us feel happy and secure again

Well everyone without VIA CPU

yea, it's not an insane issue

but pretty cool, this extends his research from about 2013 when he made sandsifter

which is neat

Making a custom RAT is possible but which language is preferable?

english, mostly

😂

Dude😕

@upbeat palm google

🤔

You’re not going to get an answer to that question here.

Okay

@thorn obsidian Have you heard of Model-specific Registers (MSRs)?

I went to the talk by xoreaxeaxeax

Basically he was trying to find hidden MSRs, namely ones that were password-protected

Didn't make much progress though

Unlike last year with SandSifter

But thus is the nature of research, and it's cool he's continuing to go down this rabbit hole...

Because at this point, we definitely definitely cannot trust Intel to do the right thing

What‘s a MSR?

i haven't, but i think i've heard it mentioned before @safe bear

afaik it's some meme magic place in the CPU where you can store values

but idk

Undocumented CPU registers

Used internally by the CPU or by firmware makers Intel/other CPU maker has a relationship with

He did mention finding a reference to a Intel i5 one in a bunch of firmwares, I think that's his next step

The current example of a password-protected MSR is the AMD K7 and K8 tho

This has more info: https://media.defcon.org/DEF CON 26/DEF CON 26 presentations/Christopher Domas/DEFCON-26-Christopher-Domas-The-Ring-0-Facade.pdf

I didn't go to this one, but may be of interest as well: https://media.defcon.org/DEF CON 26/DEF CON 26 presentations/Christopher Domas/DEFCON-26-Christopher-Domas-GOD-MODE- UNLOCKED-hardware-backdoors-in-x86-CPUs.pdf

https://defcon.org/html/defcon-26/dc-26-speakers.html#Domas1

Defcon...wow

Yes

does anyone know any obfuscation techniques with python?

base64.b64encode()

whoaaa

never heard of this thx

That's super basic and trivial to reverse for anyone that knows anything

@safe bear You ever participated or visited in defcon?

i'm sure he has, everyone has been to defcon at least once

o/ I have not

Same...

not everyone is a nerd

@upbeat palm I was just at DEF CON 26 a few days ago, and I went to the 24 and 25 as well

Darn...Am I the only one who's​never gonna attend defcon as defcon was not gonna held in my country

There was one in China for the first time this year

Where's the one in Scotland

I'm damn sure it's not going to happen in India

Probably not in upcoming 10-15 years

An 11 year-old hacked the voting system used in a lot of US states

I want to read more about that

the CCC (ehtical hacker group in germany) published a patch for the really outdated voting software used in Germany after they broke into it to proof it was weakly secured last elections. Although they published the patches weeks before and they were discussed in media and stuff they were never applied afaik. So if bascially any organization would have wanted to manipulate our election that wouldnt have been hard at all

Our elections are a fucking joke in the US

Tampered with by Russia (proven by every Intelligence agency we have)

Children can hack our elections if they want to

Lol,kinda true

lol

those kids are young gods

cough

🏃

Election hacking is on-topic

to an extent

That extent is 100%

besides the fact that this continues to be a primarily Python oriented channel, general comments about the state of election security are probably better suited to off-topic channels unless they're generating useful discussion, which besides maybe Nix's comment they did not seem to be

@safe bear why are you in vc ?

😂

Wrong channel bud

agh

Here, something that's on-topic: https://github.com/SpiderLabs/social_mapper

It's written in Python

i seen this but

honestly i don't want to star it

i have lots of stuff starred but that's on another level of weird that i just can't do on a public profile

https://github.com/calebmadrigal/trackerjacker I've discovered this tool on GitHub yesterday, seems pretty useful for some stuff

cool

@orchid notch someone just sent that in a security group and another person was like, "that's in Kali"

😂

Foreshadow eh

they just keep rolling on out

Oh, trackerjacker

Ran across that a number of months ago, seemed pretty cool

Passive mapping of Wi-Fi networks

However, the MAC addresses Mobile devices use to search for APs have been randomized for the last few years, at least on iOS and Android

@thorn obsidian The use case for Social Mapper is doing OSINT in the recon phase of an assessment

yea i know

i don't see much use unless you're spear phising tbh

@thorn obsidian Well you can use it to populate a phishing campaign management tool like FiercePhish: https://github.com/Raikia/FiercePhish

https://qz.com/1360782/apple-was-reportedly-hacked-by-a-teenager-who-stole-90-gb-of-information/

My absolutely favourite part of this

Australian police seized two of his computers last year, and found files and information on how he accessed servers in a folder called “hacky hack hack,”```

OpSec 👌

If I put all my incriminating info in my trap folders then I will never get caught

I put all my criminal documents in a folder called "Not criminal documents"

put it into "New folder"

put it into "PHP"

Won't get touched then.

~~put it into ~~

@lusty flare Pretty catchy name

I just leave it on my desktop, but all renamed and reskinned to internet explorer

How long until this is broken as well

lol

@silent pier This is turned out to be a forum

what is the safest method for saving user profiles / data?

Inside a database with all passwords etc hashed with a good algorithm like bcrypt (and ofc that one salted) and not allowing connections from external networks to the database

Would be my best guess

But the solution usually depends on what you want to store for which purpose and how it has to be accessible

Yes, a database is a good option. Need to take care with access controls to said database, ensure it's protected adequately at the network level, ensure passwords are encrypted (bcrypt is good) and salted.

And it uses prepared statements

Yeah, input sanitization and prepared statements are critical

Stored procedures if you want to be really cautious

@orchid notch ++
Which encryption?
AES or SHA?

SHA is not an encryption it's hash

So it's irreversible

So if you want your data back do AES

@upbeat palm