#cybersecurity

The significant difference between the two is in how strings are handled.

Python 3 has an explicit difference between an encoded string and raw bytes, Python 2 does not.

@worthy locust Violent Python is 2.6 IIRC, and Black Hat Python is 2.7. Those are both fine books to learn on, just keep in mind the differences. Unfortunately, there aren't any good security Python books that are written for 3 that I'm aware of yet.

Yup, most of the books written in my 2.x, although it's not hard to get grasp on them if you have good knowledge of inbuilt function or if you know how to use Google efficiently.

"Hope you have a modern antivirus installed :)"

I run bitdefender(paid) and malwarebytes(free)

How secure is that?

Is bitdefender worth it?

It is good to review products before getting em

Malwarebytes is awesome

I did some search on their work and reasearch

Really not super relevant to this channel, but my experience of AVs goes something like the following

For myself: Nothing on linux, Defender on windows (comes with it)

For other people: Avast

corporate: Use symantec or something else designed for wide-scale company deployment and configuration

Malwarebytes + Avast always does wonderful for me on Android

oh on android I don't use anything

google play has its own scanner

I use Acmarket more than Google play these days oof

I've never heard of that one

I always used 1Mobile but the app seemed to stop working one day

But yeah you probably do need a scanner then

Yeah the security is worse on it

android sec is kinda hard to accomplish

I use ESET

Comes with free 30 day trial

And its really powerful I'd say, the researchers are doing a good job

Android hard is hard to accomplish when you need to manually update your rom to get a security patch newer than 2016

"2016-01-01"

Oof

https://thehackernews.com/2019/02/hack-android-with-image.html

Its official guys

we're in the future

vulns like that happened before

#stagefright

do people really download those pics and look at them tho?

That vuln has already been patched

It was a combination of three exploits and the AOSP has already got fixes

which means itll arrive on the major phones in uh..... weeks? months? assuming its ever gonna arrive

which means I'll probably wait until I have a new phone to get the update that patches it 👏

I remember a JPEG vulnerability on windows like 10 years ago

2004, so 15 years ago.

Is there a best practice for packaging DB credentials with a pyinstaller deployment?

Why would you do that? What's the use case?

A deployed executable that needs to connect to a remote db?

It's a simple utility, so I'm shooting for a portable onefile exe

what does it need to connect to the remote db for, and who is it getting deployed to @sand axle

the main concern is that it's impossible to prevent the user who possesses the executable from extracting the DB credentials and using them to connect to the DB directly and execute arbitrary sql statements, so the typical best practice is "don't".

I can imagine some legitimate use case where it connects with an account that is properly locked down and can only read certain tables and/or execute a few stored procedures, so it's incapable of doing anything that can cause harm or expose information the user shouldn't access, but the idea is enough of a red flag to raise eyebrows

It connects to the remote db to read configuration data from a third-party application, it is seeing limited deployment to myself and a coworker. The DB account is locked down to only read from a single table, just thinking about whether or not there's anything else I can do.

If I use a cryptographically secure random salt for PBKDF2 is it secure to use the same random bytes for an AES encryption IV using a key derivated with PBKDF2 with that exact same salt?

why not

Wouldn't the key reinforce the security ?

@orchid notch

thing is that for example reusing IVs can have catastrophic effects to your security so i want to be absolutely sure

hm

🤔

Then it may not be a good practice then ?

security stack exchange might know

there was a guy on the rust community server who said that it is situation depending and i shall just use two (which was already my backup plan in case i cant find out)

reusing IVs means that you can xor two ciphertexts together to get the same result as xor the two plaintexts, right?

i.e. the encryption falls out

I don't think that using the same random data for two different parts of the algorithm is nearly as bad, though why wouldn't you just generate more random bytes

Interesting consideration for secure app design, definitely.

hi im learning networks and i am at socket programming and i have a problem with my code this is the right place for socket and networks?

I think any of the regular help channels would probably be more appropriate, unless it's actually a security-related networking question.

👌

I got a question.
Let’s say you have a python login system code.

And when you login it will check the database.

Now, wouldn’t it be safer to encrypt the data first?

What I mean is like so you have the database everything is encrypted and what most people do is get the login information and get the account info in the database and decrypt and then check it if it matches.

Wouldn’t be more secure to take the inputed information > Encrypt it > Check if the encryption matches?
So it doesn’t leak any info in the memory if it does it’s all encrypted stuff.

Instead of getting inputed info > check database > decrypt > if it matches

Then it would leak into memory.
Lol idk i just thought of this or am I doing something wrong?

Isn’t more secure?

That doesn't make any sense in order to encrypt things again they already have to be decrypted an in memory

However if you are working with hashing functions and only have the hashs of the password safed inside the database then hash the password and check if it matches that would be how you'd normally do it

(however it still allows reading the plaintext passwords from memory if the attacker is on the server )

yeah that’s what I meant

Some people would decrypt and check

You can't decrypt hashes

If you store passwords like they are meant to be stored there is no way to uncrypt them apart from bruteforcing

@orchid notch I use AES encryption which I input the IV and key

And every key is different for each user

Don't do that

That would allow a decryption

You should store the passwords as a hash for example using sha512 or bcrypt

Also AES is pretty easy to get wrong so double don't do that

Well I use AES > Base64 > store it

And I never got it like as a different string

your database shouldn't have the passwords, only hashes of the passwords

@native edge isn’t a hashing a one way?

yes

Then how am I suppose to compare of the password matches?

If I encrypt it

Is it the same

you hash the password that is entered

and compare the hashes

Wait

Which module is it the hash lib that python already has?

you could use hashlib yes

Can’t it be like cracked?

no, it's not encryption

You can only check if the hashes match, you can't revert a hash to the password

Okay I’m sorry if I’m asking like stupid questions but like it sounds like rot13 encoding. Like every letter is switched like A > C... or something because if it’s the same every time someone can get a word list and try to crack it

I can provide an anti-brute force but wouldn’t it be possible if I didn’t have that?

It's a complex mathematical formula

There are a lot of functions in math which are impossible to reverse practically

Like for example hashing functions

Well cryptographic hashing functz

Functions

If you actually find a way to reverse functions like sha512 you'd become a pretty well known person in cryptography

It's not possible, there are more possible inputs than outputs so there are some collisions.
Brilliant mathemathicians have made sure the outputs are well distributed with a slim to none chance of finding duplicates

you dont know if its secure until the roof falls on your head

it could at least be possible to derivate possible inputs from an output

Is there a preferred hash lib?

@thorn obsidian there is a built in hashlib

I know but are they all the same?

what do you mean

Like someone says use sha512 or the python built in module or others

the python built in module has classes for each available algorithm, including sha512

https://docs.python.org/3/library/hashlib.html#hash-algorithms

Ooo okay

Thanks for the info !

well not classes exactly, but the distinction isn't really important for most things

@thorn obsidian its recommended that you use a library with a function specifically intended for passwords
just running sha512 on a password isnt secure enough, you need a salt as well
using bcrypt instead of just raw cryptographic primatives will take care of all of that for you

Alr thanks for the info

example is the passlib library (https://passlib.readthedocs.io/en/stable/)

passlib looks pretty good. its api salts automatically by default

lol

Based on the message deletion I'm assuming you figured out the bytes issue ...

@mortal perch is the method really secure for passwords?

from the looks of their documentation, yes.

btw the salt is what foils word lists

in theory someone could have a database of sha256 hashed passwords

with a salt its useless

which mostly protects your users from database breaches

also i like that it stores which hash function it used in the returned crypt text

that means if its ever proven to be insecure, you know who needs to have their passwords reset

doesnt really protect users from breaches, just makes rainbow tables effectively useless

if you have a shit password a salt wont save you

bcrypt is really nice because its parameters make it future proof, unless someone finds a flaw in the implementation

yes it is secure for passwords (as long as you use a strong cipher hashing algorithm like bcrypt, pbkdf2, argon2)
i think there are bcrypt fpgas btw

from 2014 https://www.emsec.ruhr-uni-bochum.de/media/crypto/veroeffentlichungen/2014/10/22/reconfig14_bcrypt.pdf

its not a ciiiphher

ssshhhh

https://github.com/M4cs/Photocord

Discord caches all your images

this lets you archive them and delete them if you'd like. Thought it was a cool project after seeing that they CACHE EVERYTHING

$HOME/.config/discord/Cache
$HOME/.config/discord/GPUCache
$HOME/.config/discordcanary/Cache
$HOME/.config/discordcanary/GPUCache

your readme said you wanted Linux cache paths, these are mine on Ubuntu ^ @chilly elk

using the .deb package from their site

Thank you

im guessing its the same for PTB then

updated with linux support @tight abyss thank you

Hmm, however, no files int here seem to be png images

it's all binary data

@tight abyss change one of the f's to f.png

and see what happens

👀

not data_x or index tho

I did, nothing. file also doesn't recognize any format

they are useless

🤔

you convert to .png on windows and its a picture

wtf

files like these

ff9f3eb57d2b07ae_0: data
ff9f3eb57d2b07ae_1: data
fff04fbbf5078388_0: data

those filenames are totally different too

hmm

i wonder if they go into .jpeg 🤔

or a diff compression format

but idk why discord would complicate things like that

pretty sure file would recognize any common image or compression format

yeah

even without a file name

see

my file names are totally different and windows sees it as a gzip

$ file /tmp/test
/tmp/test: PNG image data, 53 x 53, 8-bit/color RGB, non-interlaced

works well on real pngs

hmmm

no idea ¯_(ツ)_/¯

i mean even bash sees it as gzip

why gzip

since when was png gzip

it's not

but you wouldn't have only that few cached images probably anyway

no i haveb like 100s

i deleted a lot

while testing this

so

so it's likely that each of those files is a binary blob of compressed images

hmm

weird how they translate into a png file

are they layered?

I have no idea. I can't open any

maybe its just showing the first layer of pngs

also, I think this is extended discussion getting off-topic for #cybersecurity - if we continue, we should probably move somewhere else

but nice project idea anyway

i thought flask encryption would be hard

80% of it is importing the lib, making an object and using 2 simple functions

ok here is good too

which ctf and which challenge?

#include <stdio.h>
#include <ctype.h>

// Usage: count <data>
// Counts the number of uppercase characters in the data
int main(int argc, char** argv)
{
  char input[1024];
  int total = 0;
  char* pos = input;

  if( argc < 2 )
  {
    printf("This utility counts the number of uppercase letters in the first argument\n");
    exit(-1);
  }

  if( strstr( argv[1], "debug" ) != 0 ) // debug mode
  {
    printf("Buffer is at %p\r\n", input);
  }

  strcpy( input, argv[1] );

  while( *pos != 0 )
    total += ( isupper(*pos++) > 0 ? 1 : 0 );

  printf("There are %d uppercase letters\n", total);
}

thats the c code

all i can do is run it with whatever command line arguments i want

cant change the code

yep.

flag achieve case?

so far was thinking put shellcode in the input buffer, overwrite the return address with the address of the start of the buffer, and have the shellcode give me a shell

with the shell i can open the flag text file

the compiled executable has permissions to read the flag file

this is being run with a suid bit, alright

yeah

the uh

what you said is pretty much how you do it

ok but like every time i try, it doesnt work :/ either it just works normally, or i get a seg fault

compile locally with -g -fno-stack-protector and start it up with gdb

you can keep an eye on registers there and see what exactly you're overwriting

also look out for endianess, you might need to reverse the order of the bytes

yeah its little endian

furthermore, if you look at the registers and realise you can't get the address where you want to jump to aligned with the address you're overwriting or it's variable (which it should definitely not be), you might have to use a sled (but i doubt that)

you might also be overwriting registers which it uses before it reaches the target address, causing it to segfault

hmmm

ok lemme check rq

i overwrote 4 bytes, and from the output (1633771873) i'm assuming my 4 as overwrote an int

and then the pointer im assuming

does char* take up space in memory?

set a breakpoint on the memcpy

if you already haven't

if you haven't used gdb before, i suggest finding a good tutorial to get a hang of the basics :) if you have, np

i used it before, last time i was trying to do this (whcih was like a week ago)

Do companies hash usernames as well as password? Just want to know what they hash in general

hashes are one way, so if they hash the username they wouldnt be able to display it

they just hash and salt passwords so that if their database is hacked it doesnt leak the users password

Ahh ok so looks like I don't need to do anything else for now. thanks 😃

yeah just pass the plain text passwords the user gives you to your password library and store whatever it gives you

all other security is just 'is this user allowed to do x'

Yeah I've got a hashPassword and checkHashPassword function rn. And then storing isAdmin in the database because that's all I need for now.

cewl, just make sure whatever you are doing to hash your password also Salts them

its good practice even if you are just playing around

Got salts from uuid, don't exactly know what it does as of yet because haven't learnt it in school.

ah yeah the salt can be anything, it just there to make sure that if you use SHA512 and encrypt say "password" with it, that i cant just have a database of SHA512 hashed strings to figure that out

it just does salt + SHA512(salt+password_var) basically

if you simply hash you leave yourself vulnerable to a rainbow table

we dont care if they know the salt, it just prevents them from comparing a password entry here to any other password entry in your database or any other persons database

it might also be worth repeatedly hashing your password

remember 0.2s on your end to hash and validate will take an attacker far, far, longer to crack since they need multiple attempts

So kinda recursively hash the passwords?

only if your system needs to be super secure tbh

i wouldnt worry about it unless your architect or client tells you to

I'm only doing this for a school project so not going to be deployed

just use a password hashing library someone else made that has sane defaults

and youll be correct 99% of the time

I wouldn't hash multiple times. You can use password functions like bcrypt with configurable effort instead, which are made for this purpose.

yeah. the key to writing secure crypto code is: dont

let someone that actually knows how to do it and reuse their code

then you at least know who to blame when stuff breaks

I see for now I'm using SHA256 with salts, gonna keep that for now unless teacher says I need to make it more secure.

that should be fine for this project and tbh most websites

yeah bcrypt has a rounds kwarg doesn't it?

as long as your salts are unique per user its hard to mess it up

do .pyd files generated from cython help protecting the code?

no you can reverse them back in to approximate python code

but if you just want to prevent casual viewing sure

@gentle heron well i will be using it and turning it into an exe

can they take apart the code and get the pyd?

its not trivial but yes its just a dll compiled from python

do you anything about cython?

not much no

u ever use it?

but if you want to secure your code, dont run it on the end users machine

no i do not

well thats what i wanted to do but

if u want a server they all need $$

if you dont have the money to run a server imma be honest, your code isnt worth protecting

the time/trouble trade off just wont be worth it

ok well tell me what is a good server to use

i might

get one

what kind of service or software is it?

well I want it for

Like I supply it data and it will submit to a database for example

extracting data, inserting data. stuff like that because
if i leave it in the code it will be cracked easily

is this data that the user will download to their computer when they use it?

because if so they can trivially extract it still

if you dont want the user to access it you have to just not put it on their computer at all

well no for example there is a file that needs to be downloaded on the user's pc to access a database.
I do not want them to be able to view it or edit or anything

that is not possible. if someone is malicious and the data is on their computer in any form that the program can use, the user can access it

well thats what i need

they can just pause hte process and extract the data from memory

is there a possibility

or even run the whole thing in a vm and step through it

can i somehow keep the file data on the server?

you would have to do all the processing there too and only return the data that you want the user to see

it is literally impossible to send data to the user in a way that a program can process it but the user cant get it

unless you can control their hardware like video drm does

ok will here's an example.

Data extracted from the user > Send data to server > Server gets the json file(its required to access database, also stored on the server) > server will send data to the database. Done.

that's something I need

yeah you can just make a normal web service with like flask or django that takes a json message

then do the rest normally on the server

then return a confirmation to the user

but if you send any information to the user, just assume they can see it

okay

do you have any

recommendations?

for the hosting part

you can use any 'virtual private server' host like linode or services that have special python support like pythonanywhere or heroku

isn't pythonanywhere free?

ah never mind

they have a free tier

but its a generally paid service

well thanks for the information. appreciate it

Maybe this time I won't have to keep my PC on.

I literally made a python app which transfer datas
where user sends data to 'fake' database

and my program would quickly grab that data and send it to the real database

thats how I did it lol

of course I had to keep my pc on so the python script can keep running

Hey, out of curiousity: Is it safe to have sensitive information displayed as terminal output?

For example, if I were to display a password onto the terminal (which is safely secured in a document with hashes and a salt for each account), would it be safe to display said password by decrypting the saved hash and output it as plain text while said decrypted password is not saved anywhere as a variable or so? Or would that be vulnerable for data breaches? 🤔

err... if you store the password hashed, how would you even be able to display it in plain text?

and no, I believe passwords should never be displayed

terminal output can be tracked/stored/... too

or just a random dude walking by and glaring at your monitor

hashing is different from encrypting, you cannot decrypt a hash

The fact that your hashing function which is supposed to be irreversible can be reversed would be a big security risk yes

Well, passwords usually are stored securely in a document where only hashes and salts are stored, no?

So you can decrypt said password by it, no?

Or am I missing a huge thing in hash security? 🤔

@rugged oracle yeah, you are. hashing is a one-way function, you can never get the password back from a hash. that's the point 😃 https://en.wikipedia.org/wiki/One-way_function

it's only use (in this context) is to compare against a user's entered password, appropriately hashed as well of course.

Oh, whoops. xD Haha, sorry! I was just thinking of perhaps making an offline password storage application with Python and thought of saving passwords hashed. But as I only worked once with hashes (securely, haha), I forgot that you can't retrieve passwords because of how hashing is designed to be. My fault, @distant cove & everyone else!

@rugged oracle apologies not at all necessary, this stuff is Hard! I've only been bitten enough by it to remember 😃 more than happy to be able to help, best of luck!

👍

@thorn obsidian Yeah, I got my own password storage option, but was thinking of developing an own application through Python to achieve the same. Only through my own 'creation', basically.

also their is

https://github.com/gabfl/vault

pro tip for rolling your own crypto/secure implementation/locked db/whatever:

don't.

as practice? sure, why not.

but never use it outside of testing.

"KeePass/LastPass/etc exist, and KeePass has been audited."

i got bitwarden

20 char long passwords became my norm

I'm tinkering on openssl. Curious on -nodes argument. How does app use a protected private key without exposing the password?

"I started with 20 char when I first started using KeePass back in... 2005/2006?" Smart man. I question the intelligence of mankind everytime I look at the most common passwords list

People using dumb sh!t like 'ilovemydog' or 'password'

Is it correct, that we rely on the keystore db to auto unlock the private key without human intervention?

ie, I supply the password once which is then salted by the app and then the app can use the key for us?

if you have an encrypted cert youll have to store the password in plaintext some how, stuff like hashing or salting will not work

assuming you want a program to be able to load it

but yea then you just give the program the password so it can unlock the cert

for the keystore specifically, i am not super familiar with how it works but the idea would be similar.
it should have a master password that you pass in just like an individual cert

with some googling, i can see that to make tomcat use a keystore you have to tell it the keystore path, the encryption type and the password

so that sounds right

now how do you protect it? well you have to just use OS level protection to prevent other users from accessing it. eg make it readable only by root and potentially the servers user

this is generally acceptable because once a program loads encrypted data and decrypts it, the user running the program and root can both find ways to get to it anyway

some software might let you load the encrypted files as root, then switch users afterword so the password itself isnt seen but i dont expect that its common @swift torrent

if you are worried about getting hacked or something, make the service the needs the encrypted data completely separate from the part that interacts with users / the internet. this is how credit card processing is done generally. that database is totally separate from the main web server.

I supply the password only once, and the app (+ keystore db), will salt/encrypt it beyond recognition but the app has the ability to open the private key. At the most, the password of course is in RAM for a short moment otherwise how can it use the key.

@tropic bay passwords from breaches don't get any better 😂

Is using hashes as passwords a good idea ?

Random thought here

An actual hash?

to be hashed again with salt and what not

If you hash a password they can still dictionary attack it if they know you hashed it

buuut if you hashed your hash and used that as a password

Pretty secure as long as you dont tell anyone you did that.

Yeah, hashes-as-passwords are actually not that uncommon as they are so much harder to brute-force than (for ex) “passw0rd123”. But that’s their only benefit: obviously, memorability suffers greatly.

You also have to rely on the fact that they dont know its hashed

common passwords are probably tried as hashes as well

True, but even if they do they still have only one choice, brute force. The attack space is smaller sure, but they’re still just trying everything.

(And I’d argue the attack surface doesn’t become significantly smaller even if the attacker knows you’re using hashes. It’s a common Redis “security” mechanism, and even though attackers are aware it is used they don’t bother. The return on investment is too low. All that said: I am not a cryptographer!)

You can still dictionary attack if you know to hash the attempts

I'd assume at least

@silent pier well, a dictionary attack is just a version of a generalized brute-force attack, so yeah that's definitely possible. but I was suggesting that the "hashes" used here aren't actually hashes of anything meaningful: hash the next 128 bytes of /dev/urandom, make that your password. no dictionary on the planet is going to have those 128 random bytes as a seed, I can assure you that.

That's true

but if you think you're safe just cause you hash correct horse battery staple you'd be mistaken

It's just adding another step to any process a hacker could replicate

haha so true! and a hilarious example, it sounds like a post-modern prog-rock band name: "Hello Detroit, we're Correct Horse Battery Staple!!!" 😆

it's security by obscurity

yup

as soon as you know the "algorithm" used, it's moot

well again, unless the algorithm is completely random

but the point is valid: none of this changes the fact that these are still just passwords.

I mean, assuming you're just a regular random user on an arbitrary platform, c59a25d89a7dae70db20e3bec09bcbf5 is still a far more secure password than My1Bad2Password

because an arbitrary attacker would probably not assume this technique and focus on the large mass who doesn't do that with their dictionary

yup totally! it's all about resources: an attacker has a limited amount, so must focus on what might give him/her the highest ROI for their effort.

But if you're a target, and the attacker might get that idea too, it's not much more secure any more

However, that also means whenever you need the password, you have to re-hash it again

And that could be noticed or leave traces in places that could be found

@tight abyss not if you just keep that password in a manager of some type

then you can just use that password manager to generate a totally random passphrase

doesn't have to be the hash of something memorable then

yeah, that's what I've been arguing all along, hashing memorable strings is no different than just using them as your password: "but I was suggesting that the "hashes" used here aren't actually hashes of anything meaningful: hash the next 128 bytes of /dev/urandom, make that your password. no dictionary on the planet is going to have those 128 random bytes as a seed, I can assure you that."

why don't you use these bytes then directly instead of their hash?

@tight abyss hard to represent in ASCII 😃 base64 would be a good choice too!

true

depends on the input space of the application

what I always try to keep top-of-mind is that cryptography is just fancy math. like we're discussing here, using something memorable and just hashing it more than once doesn't change the math.

but using random data does

(truly random! psuedo-random is good, but not actually random, especially not to a cryptanalyst!)

(FWIW, if anyone is interested in learning about cryptography but - like me - simply cannot make heads or tails of most textbooks which are insanely math-heavy, I found this book to be really awesome: https://www.amazon.com/Code-Book-Science-Secrecy-Cryptography/dp/0385495323)

(It's a historical look at crypto through the ages too! Really neat.)

True

Hey there. I am not too versed in web security. I am wondering if httprequests via PostAsync sent to a non ssl protected website can be grabbed, or if postasync is encrypted by default somehow, or if I am just totally confused in general.

Is PostAsync a .NET thing? How are you using this from Python?

From what I can tell, no, it's not encrypted by default

So yes, it can be intercepted, read, and modified

@safe bear yea it wasn't totally a python question specifically. I just didn't know any other actually helpful servers that had security/database help areas

(Thank you for the help)

No problem, and no worries.

@safe bear at what point would the data be vulnerable? Where would I have to do the encryption?

When it is transmitted across the network

So it has to be encrypted first

Use HTTPS instead

with TLS

Yeah ^

I do not think that is possible with what I am using

If you're gonna do encryption by key. Might need to do some extra coding otherwise

To share keys etc...

No idea how familiar you are with roblox API, in short I am making a bot for a large game, and am sending some data to a mysql database.

I think httprequest using PostAsync is the only way to get the data. The data is sent from roblox itself as they do the hosting

Unfortunately I'm not famliar with it, though I do know of Roblox

They don't support HTTPS?

This is the documentation of it. http://wiki.roblox.com/index.php?title=PostAsync

This just raised a concern for me

Yeah I'm looking at it now

So when I deploy a discord bot locally. The data in transit is visible to everyone ?

Doesn't seenm to have any security....

Depends on transit to where Jason

Idk

@velvet isle no. All data is server side

You are just telling your bot client what to do with the data.

Lets just say the bot reads messages to see if its equal something and then respond

That is all handled by the discord.py api

so its like

Discord Bot(App) - handles the operations ?

And discord does all the rest

there is an event reference in the discord.py api. The bot is hosted by discord itself. You are just telling your bot what to do.

Actually let me explain better in the #discord-bots channel.

Cool

https://www.politico.eu/article/ukraine-cyber-war-frontline-russia-malware-attacks/amp/

interesting write up on the cyber attacks in Ukraine

This whole concept of cyberwar is weird

Countries firing bits and bytes at each other

Lol

that is not weird

its still war just another battlefield with other weapons

@broken narwhal Hi, if the HTTP session doesn't have a TLS layer it could be man in the middled. It doesn't matter what module is making the request

@velvet isle You might find this Joint Defense document interesting. It discusses the military's view on cyber warfare. I'm not endorcing the view but it is good to know how the people with their finger over the button see's the domain https://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp3_12.pdf?ver=2018-06-19-092120-930

@lost tree looks like a good read

I'm going through it rn

what did u find out?

I'm still on it

I have other stuff to do also

Hi guys why when i am trying to sniff a http request and answer from facebook i dont see any http protocols

thats because they use https

how can i sniff https?

or cant i?

you odnt

thats what the s stands for

secure?

why dont you just watch network traffic in the browser

yes

im just trying stuff with wireshark

youll see the encrypted packets as tls packets

how do i watch network traffic on browser?

well for chrome you open the dev tools and go to the network tab

so the https means that i cant sniff it and its encrypted?

you cant sniff it as its encrypted

youll just see giberish

i understand

but the decryption happens in my browser?

yes

well or on their server

i send an encrypted request and get encrypted answer no ?

so hot their server will decrypt the anser if its in my browser

that first sentence does make sense

the second doesnt

if hot is how, you also sent encrypted messages to the server whihc get decrypted there

@peak wadi use fiddler

They allow you to intercept your https traffic

(YOUR)

Just incase a mod thinks we're trying to intercept other people's things

(the information you gave him can be used to decrypt other network traffic, if it can be used in a bad way its not okay as we dont know the intentions of people)

anyone here has experience taking the oscp exam on ? i would like to ask a few questions and suggestions.

@peak wadi Take a look at MITM Proxy https://mitmproxy.org/

Hi guys, I’m looking for a good python package for encryption (AES and RSA), I see that PyCrypto has some security trouble. Do you know a good security module plz ?

The cryptography package

Okay thx

Hi guys i know its not about security but its probably the only place that people are familiar with TCP servers can someone help me with that, pls pme

!no-dm is our policy

But, actually asking a question in a relevant channel may help

!ask

@void aspen What problems have you had with PyCrypto?

I have run into issues with using it in AWS Elastic Beanstalk because it needs compiled C libs but that is the only thing I've run across

@lost tree I see on Google that PyCrypto has some serious security issues

interesting.

i think the remote vulnerabilities were fixed, but yea Grote seems right about cryptography package

thanks

And I plan on deploying it to linode do you know any special issues about Linux on cryptography @lost tree ? :D

nope! works fine for me on EC2 instances running ubuntu and the AWS variant (as well as my home box)

but I haven't had the opportunity to tinker with linode. I'd be interested in what your experience with it is

same.

I'm running on EC2 and experiencing no problems with the crypto package

How can i deauth a Network which i am not connected to? The AP is Cisco AP 1852

Mention me in the answer please

What's your goal, @sand bay ?

Okay, since you've not answered: I have a strong suspicion that what you're trying to do breaks our rule 5. Please make sure that you follow our rules when asking for help on this server, @sand bay

!rules 5

Because PyCrypto isn't maintained

Hi can i sniff https with scapy?

That's not something we help with on this server, since it can be used for malicious purposes. See our rule 5.

!rules 5

How can people discuss about security with this rule, all the security subjects can be used for bad intentions...

You cant be responsible for others action, its like someone goes to a cyber security course and the course wont teach anything because it can be used for malicious purposes

What can u discuss here with this rule?

@peak wadi you won't be able to sniff https without jumping through a lot of hoops regardless

people can talk about security with this rule

you know there is actually more to security than attacking

@peak wadi No, we can't and won't be responsible for the actions of others, but we do have strict rules on what we allow on this server. One thing we don't allow is assistance with code/packages that can be used for malicious purposes. This is restrictive in the field of security, but there's a lot of discussion possible that doesn't involve the direct application of code that could be used for malicious purposes. For example, discussing TLS itself is fine, but you were asking about an actual application of sniffing of TLS encrypted packages.

@@leaden blaze TLS?

Transport Layer Security, see https://en.wikipedia.org/wiki/Transport_Layer_Security

Security here is more focused on Blue team side.

Way more

This server is purely Blue. We generally do not allow Red discussions beyond theory.

If you want to talk about Red stuff there are plenty of other servers for that.

+1

i want to auto renew some certs with letsencrypt but i get an error for one of them if i dont include the apache argument certbot renew --dry-run --apache

it should be fine if i just change the cron entry that letsencrypt generated from 0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

to

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --apache

right?

@safe bear you got any invites?

for 100% red

Little OhShitOhFuck of the day: https://www.theregister.co.uk/2019/03/05/spoiler_intel_processor_flaw/

TL;DR, from my understanding: another side-channel vulnerability in every Intel Core processor caused by predictive memory access, kinda similar to Spectre/Meltdown in some ways, triggerable from unprivileged code and even from inside VMs and containers, which greatly simplifies other attacks like Rowhammer to read arbitrary memory.

s i d e c h a n n e l v u l n e r a b i l i t y

https://github.com/NationalSecurityAgency/ghidra

A reverse engineering tool by NSA itself.

YAAAAS

how does code injection work on python and how can i test for it?

id be surprised if a lot of commerical hardware isnt backdoored in some manner

@dusky horizon most of it is with regards to using functions like eval and trusting users' input

so just trust noone will break the script?

no that is how vulnerabilities like that happen

any time you accept input from a user you should review instances where it is used and make sure that sensitive infortmation can't be accessed or written via those channels

alright. @buoyant maple

https://twitter.com/TheHackersNews/status/1103233119434489857

update ur chrome browsers!!

you shouldnt be using chrome in the first place

but if you are!! ^

anyone using chrome has this channel muted

:o

lmao true

my company forces me to use chrome

since we only support chrome for our webapp

like oh?

i use chrome when i watch twitch 🙂

I use Waterfox on Windows and Safari on macOS

its not really a zeroday if they patched it is it

Yeah its more of a 1day now

😕

wait

i think now

its ||technically|| 2day

just run openbsd lol

im happy with my Mach openbsd baby called macos

unless im being a gamer

then its windows all day

Article says that they are keeping the bug tracker page rstricted, but couldn't people just look at chromium commits and see the diff?

work backwards to figure out what it was if they really cared

Yeah also on CVE and NVE theres no record of the vuln yet

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5786

rly?

ah they updated it

It's there just private

but it still has no info on it

cant they make it pub now that theres a patch?

https://access.redhat.com/security/cve/cve-2019-5786

here theres more info on redhat's page

Is there a open source package for converting cryptography files between multiple formats? For example, .pem to .p7b and .pem to .p12? Using subprocess and openssl is possible but a Python library is preferred

@chilly elk Two things: what's wrong with Chrome, and don't confuse OpenBSD with the distant dumb cousin that is Darwin BSD

Not as far as I know Oskar. The certificate conversion stuff is specific to the tool I think, couldn't find anything in pyOpenSSL

when u tryna decrypt a file but File is corrupted or not an AES Crypt (or pyAesCrypt) file.

😔

Because AES is the only encryption algorithm there is in the world?

Because it was encrypted with AES

I used aes256cbc with cryptit

With the new Web Authn, I understand that the point of security keys is that they can't be copied. So what happens if you lose you security key? If you forget your password, you can make a new one. Do sites implement something similar with Web Authn?

depending on what ur talking about you could revoke them

in case of stolen private keys for certs some browsers might check ocsp to see if they should still honor it

hello, i am a security noob, how do i get started?

depends if you wanna be a pentester or if you're trying to protect yourself or a company

trying to protect myself

but ctf stuff is also fun

ah well, that depends on what there is to protect rly

use a password manager, install updates often, set up a vpn

most importantly put tape over your webcam

VPNs aren't that necessary if you know what you're doing Tor here and there does the job, also sites like LeakedSource & WLI are helpful to check for breaches, and I suggest a Riseup e-mail account

VPN basically shifts your need for trust from your ISP to your VPN provider

You have to decide yourself which you deem more trustworthy and whether the difference (if positive) is worth the extra cost

Most VPNs are trash though, especially the cheap/free ones are often scams

Nord isn't bad

that's one of the more reputable ones from what I heard

but also not exactly cheap

it had a p good deal recently

not sure if it's still there

3 years was quite cheap if I recall correctly

94$ per 3 years

ends in 9 hours or so

meh, I don't need any

same 😛

if I ever need to pretend to be from a different country, I use the free ProtonVPN tier

but I'm not convinced it really adds to my general security or privacy

I don't really trust ProtonVPN anymore

how comes?

may i ask what's everyone's experience with security?

Someone who attacked ProtonMail was using ProtonVPN and Proton's team managed to find him

Obviously it's not the best for privacy

actual privacy

you have a link to an article or so?

I think I do

I need to pick up someone I'll be back in 30 min and I'll look for it

just set up your own vpn 4head

also your own mail server 4head

riseup is nice though, thankfully they increased default mailbox to be 1g

https://www.zdnet.com/article/hacker-uses-protonmail-vpn-hacker-ddoses-protonmail-hacker-gets-arrested/

That wasn't the exact article I'm still looking for it

I can't find it, asked some friends

meh, I think if someone tries to ddos you from your own vpn infrastructure, it's quite easy to notice that "on the fly" even without logging

but yeah, you never know how far you can trust any provider

true true

I tend to follow the view that you shouldn't trust anyone with more than you are okay leaking

That said I'm a paranoid pessimist so heh

should i learn python more or start with that security python book most people suggest? i only know the basics of python

best way to learn is to make stuff

+1

I have a database with sensitive information, would using bcrypt to SHA256 the information with salting be secure enough?

Definitely

What are the risks ?

Who might be able to gain access ?

theoretically speaking™ how long would a bcrypt hash take to check through 350 million words?

well depending on what the cpu speed is

with hps being the hash per second value the computer is able to do
(350 * 10^6 )/hps

you could experimentally get that value by for example calculating a few dozen bcrypt hashes and get the average or something like that

aight

if you dont have a gpu cluster of enthusiast grade hardware, probably would take you about a whole day to exhaustively try to "check" all lowercase alphanumeric characters of a string that is 6 characters long

a day?

thatd be a pretty damn insecure hash

thatd be 657410 hashes per second

I have a program that saves some passwords into a config file, I just want to stop snooping eyes from looking at the config file. The whole point of hashlib is not to decrypt stuff so how should I encrypt passwords with a way to decrypt them?

Also I'm interested in working with Cyber Security in the future, do you guys recommend any guides for that in Python? Whether that's encrypting or whatever I can learn.

Well their are some python cryptography modules you can use I don't think they are built In. I think you should also look into different type of encryption so you can weight the pros and cons of those and decide on what to use. I'm also curious as too why your opposed to hashing with salting and peppering?

I would give black hat python a go and violent python and maybe look at some ethical hacking courses maybe look into comptia security + cissp and Ceh certs so maybe you can find a path in security that suits you

Another thing I would like to add is I know our technical institutes here offer a 2 year diploma in it-security

@orchid notch 321,272,406 / (60 * 60 * 24) = 3718h/s?

oh lowercase

shiet mayne 650khps bcrypt would be 😎

Hey guys, I really like python but I wanna learn cyber security as well. Can you guys suggest a good book/books/courses oriented in cyber security using python. I've actually already started learning cyber security but a the materials I've found on the internet are only explaining how to use other people's tools. Yes, there are some good ones but they only get to the point where the person who teaches imports a module and does all the stuff that are actually important for me to perceive with just one line . For example instead of using sockets, he uses scapy that does all the hard work in just one line lol. Correct me if I'm wrong but understanding the concepts is more important than using the tool.

you can start here: http://overthewire.org/wargames/ and build your way up through the levels

Well, you have to understand networking and what the heck you're doing to use scapy

It's not a silver bullet, it's just a tool that makes packet crafting and manipulation easier.

If you don't understand how packets are put together it's not terribly useful

How can i create a secure login ?
I'm trying to use AWS Database for storing data but I don't want to connect to it from the client because that will show the information.

I was thinking connection to the server side and server side going to database.
I really never made a login system before with databases etc.

Anyways, I'm using amazon (AWS) for my stuff.

Anyone have any suggestions?

@thorn obsidian an application I’m making

Secure meaning the users using the login cannot reach the server side.

I’m not really experienced in server side that much I heard that amazon offers a service like this so right I’m just wondering what I can do if I get one

Well if you had a server side and a database what is the best to deli ever information to the database

Because if I get a database u know have to enter the password name of dB etc and I don’t want to do that on the user side because they might have a chance of getting fit by decompiling

Wouldn’t be users able to get that information for the connections?

And yes

Sure

Scott \0/

@thorn obsidian from what I understood he was only communicating through the VPN

hah. that app some dude made to help people find MAGA hat / Trumper safe restaurants is a massive security hole

plus the developer hard coded in his credentials

unsecured API exposing all users + hard coded creds = 😙 👌

@lusty flare lol got a link?

i'll dig one out

https://www.theregister.co.uk/2019/03/12/63red_security_freakout/

thanks!

https://twitter.com/fs0c131y

that's the researcher who discovered it

wow at the way they responded to it

calling the FBI

yeah

i mean it was an unsecured API

apparently with only about 36 API requests he could get the entire user database

well ~30ish requests

yeah not surprising with an un-authenticated API

Lol imagine calling the fbi, "this guy exposed my incompetence, and my butt is hurt."

idk man, that app looks like a safe space finder for trump lovers

you gotta have a safe space where you can't be criticized right?

correct

i think they're just fed up that they're being persecuted based off how they look

which is pretty damn ironic

watching a talk on hacking all in one printers through the fax machine

HP hardcoded a URL (fakeurl1234.com) into the code

not sure why it connects to the domain

but the researcher registered it

that seems like an incredibly dumb thing for HP to have done

https://www.zdnet.com/article/malicious-counter-strike-1-6-servers-used-zero-days-to-infect-users-with-malware/

wow

interesting exploit

not just the RCE but how they used it

need more details on what the exploits actually were

but who would have thunk

exploits through games aren't unheard of

i think i've seen it a few times in counter-strike alone

Anything can be exploited

Just speak it's language

i am surpriced people still play cs1.6

Now I'm curious if this is malicious server owners, or if there's some malware that spreads by waiting for the infected user to host a game

it starts with a malicious server owner i believe. based on my experience with source games, it likely either downloads a file like a map or other resource that exploits a bug in the client or somehow abuses some command/packet that servers can send to connected clients.
then it sounds like they use the exploit to start another infected server on the victims pc and show ads.
they use the many servers to entice users to join since they are likely to be able to find an infected 'server' near them since people often sort by ping

also even worse, the ads are largely for legit community servers who pay these guys for ad space

"legit" since they are paying a botnet

they're still gaining ad views, doubt they care much

Hello, I'm not sure if I'm asking in the right channel (I couldn't find a channel related to network stuff) but I have an python HTTP server running on my computer. To access it from the internet I've setup a NAT rule to forward any connection on a specific port to my computer. The thing is, I can't seem to find what host I need to set to be able to listen to the forwarded connection. For now the only solution I've found is to listen on all interfaces (so host="0.0.0.0") which is something you want to avoid. Any idea about how I should proceed ?

Set it to listen on your host IP

@rugged nebula Set it to the IP address of the interface that's connected to the network you're NATing into

You can find that with ipconfig on Windows and ifconfig or ip a on Linux

For my computer, it'd be host="10.0.0.180"

I just had to retrieve my computer's IP on the local network, as simple as that, thanks for the help guys 👍

What do you think of SSH honeypots?

I think it could be handy to generate a dynamic blacklist for the firewall,

they're annoying you'll probably get scanned once and never again from those IPs anyway, not going to be very helpful except from blocking either a scanning server or a few bots. Blacklisting all of China and Vietnam would even be more useful

just use fail2ban to dynamically ban ips temporarily which fail to authenticate multiple times

Apparently south korea

Is where a lot of bots are

Yeah South Korea gets their routers fucked a lot, but scans from South Korea aren't frequent

f2ban best solution

there are also tools that work like adblockers where they download blocks of ips that are known to be bad or are just foreign ones that you expect you wont interact with that you can load on your firewall to block

it cuts the number of attempts way down

I'm not sure If this is the correct channel but what would be the best way of making api auth keys?

I'm gonna go sleep now but just ping me if you have a way that you think is good thanks!

If you mean just the keys users would use to call the API then good old md5 would do

But make sure the keys don't already exist 👀

md5 will not do

please use sha

why tho?

no one wants long af api keys

hey guys looking for help with scapy & network scans

For API keys you can just md5 random values or use an uuid or whatever

@lusty flare as the unhashed content wouldn't be so important if it's a random number md5 is viable here

fair enough

sure, AES can take 20 years to crack given a strong password but what if they catch you and wack you with a 5 dollar wrench till you giv them the password?

hidden volumes could help but not finding a simular feature for password managers

🤔

Pls rephrase that @tropic bay

you following me?

.......

?

continue

right

right

@tranquil oar you can use jwt for that

yeah

why worry about that

just use jwt for it

@tropic bay hidden volumes fell out of favor since they dont need to know if you actually cryptographically hid something to torture you for information or throw you in jail

but you can just use a hidden volume tool to hide any other file if you wanted to

these days people just use full disk encryption to hide everything

"hidden volumes fell out of favor since they dont need to know if you actually cryptographically hid something to torture you for information or throw you in jail" well the idea is that if they do torture you for info, you can give them the password for the outter volumeand they wont be able to tell that there is a hidden volume within

hidden volume tools are nice but the thing is, password managers dont really have a simular feature

best i came up with was to have 2 accounts and you'd have a dummy acount and a real account

but the program i used doesnt clear out the username field

which could prove problematic

if that makes any sense

having two accounts wont help because if its decrypted they can see both

nono

i am talking about password managers

like dashlane or last pass

hm ic

there might still be caching that can be used to discern that. eg file sizes, access history when you wernt logged in to your main and so on

using full disk encryption but not writing to the whole disk is how hidden volumes work. you could have a fixed location for a header and the part that points to your hidden volume is still encrypted unless you supply the other key

using an online manager like lastpass is more dangerous than a local file imo because there is potential to remotely gain access by modifying the client before it gets to your computer

yeah and going back to disc encryption it doesn't really encrypt the computer, it just encrypts the hard drive. so if say i steel your laptop and you encrypted your drive, i could swap the original with a new drive and i can use the laptop just fine

but you can mitgate the last user name field in a web based manager by making the browser clear all information when you close it

i dont know what you mean by encrypting the computer, since the disk is the only place you intentionally store information

yeah i was disappointed because i hoped that disc encryption would actually stop people from using your computer without the password

but then they could just swap the drive

ah i see, yeah if someone has access to your hardware, its theirs

its a fundamental part of security that you just assume anyone with physical access can take control of the hardware

right, going back to "using an online manager like lastpass is more dangerous than a local file imo because there is potential to remotely gain access by modifying the client before it gets to your computer"

i thought the traffic between u and the web server is supposed to be encrypted so you cant even see the data

if youre the guy inbetween the 2 communicating parties

so how would they modify the client?

after typing that, i realize how stupid teh question must sound from your side

its supposed to be yes, but government level entities can just walk in to their hq and force them to change the code on the server

and sometimes private keys leak so you can have other entities change things

private keys leak?

how offen does that happen?

not very often but think about this: what is more likely, that someone targets a single individual, or that someone targets a whole group at once

the payoff for the second one is much bigger

so the whole server only uses 1 private key to communicate with people?

i thought the keys is different per individual the server talks to

no because then they would have to generate a new one for every user, and for a key to be trusted there has to be a chain of trust

it takes a while to generate a keypair

at least for https, the server has its private and public key pair

however when you connect it can generate session keys using the main keys and your client has to do that

basically the server has its own key that it uses to authenticate itself and you use to share the session key

then after that key has been shared you can use that as a unique per session key

but the server itself has just one key

but if someone has access to it, they can see your session key when its shared

the session key will be used just during that session iirc by both ends, but the main key is the important one

(long story short yes the key which is actually used to communicate is individual however the key used to encrypt the communication which transmits that key is unique per server)

yea

right

and who have access to the private key aside from the server? the admin perhaps?

the admin is in this scenario "part" of the server

depends on the organization. anyone with root access to the server would have it

but their deployment system also has to store it to push it to the server, so some people on that team would have access to it

typically though they wont have it on every server. they likely will use a reverse proxy and that proxy handles ssl so that the rest of the system inside doesnt have to

https://en.wikipedia.org/wiki/Transport_Layer_Security

well at least they wont have the same key inside

the fewer systems that have that key on them the safer it is

https://tiptopsecurity.com/how-does-https-work-rsa-encryption-explained/

rsa was actually declared useless for encryption in tls in v 1.3

they just use it for signing now

they dont actually go in to the details i dont think in this

i'd have to look in to whats different overall

the difference compared to before is that now you basically must use ecliptic curve based algoritms for encryption and can use rsa for signature if you want

hm is it the idea of having one key public then switching that is the part that is broken or just RSA specifically

RSA specifically

kk then my link is largely fine for an overview

iirc they said theyd drop it because its so easy to get wrong id have to check though

yeah i would never try to implement my own encryption period. let someone elses library do it that has been audited

thats what they said

i have been looking into making an app to make it easier to build a mini CA for homelabs, but i have been afraid to even share it since it involves cryptography and isnt audited

there is a go project for that

it was trending for some time

i have one working via the cryptography library and i just let you set the information that goes in to the cert

but freeipa has a cert manager too so i am moving towards that

oh god user define information

evil

🤔 well to make a cert you have to provide information

i just randomize mine

you randomize the urls it can apply to too? :P

yeah i use a grammar based URL generator for those

🤔

so it gets extra confusing

i like it

i shouldnt have said that should i

i think the number of people that know enough about certs to take your joke seriously are pretty few tbh

https://github.com/google/easypki

there you go

a quick peek doesnt seem a ton easier than using openssl's cli for it

weeeeeeeeeeeeellll

freeipa has a web interface and can push the certs to the servers

my thing is just a flask webpage that you can generate them on and it has a few templates for stuff like 'web server' or 'vpn server' etc

i didnt finish it because i couldnt decide on how to store the private keys securely

it does work however

also i didnt want to build a cert revocation list generator

you might as well just clone boulder :P

as i discovered the new way is just a server that lets you query if a cert is still valid which was a bit out of the scope of my learning

the documentation on what extensions you need to have your certs accepted by browsers isnt great so that was fun to learn about

the documentation on almost anything you rely upon on a very low level isnt great

yea haha

its really interesting how few screenshots there are of the freeipa web interface

before i started it, dispite all the reading i did ahead of time, i still had no clue what it was going to look like

it wasnt really clear if it even had a real ui for generating certs

my goal is single sign on for my home lab and my future python server experiments

what are the beginner security books for python?

Violent Python for absolute beginner in security of python.
Black Hat for a bit experience leveled.

thanks!

This doesn't sound as hypothetical as you're trying to make it. What exactly are you trying to do and why?

let's say i am working on a flim project and i wanna include some stock footage that i shot of that building

Let's stop with the "let's say" and go to the "why"

Are you asking if you can be tracked down for using a location in a film that you don't have permission to be at or something?

That's not really something we cover here

I'm saying, as an Admin, that it's not something we cover

Is it possible? Who knows, possibly if there's enough pictures out there of the location

But if you're trying to find a way to get away with trespassing and filming at a location you shouldn't be at, then we can't and won't help you

!rule 5

no that's definitely not the case

You can't really blame me for coming to that kind of conclusion given the vagueness of your questions

it's rather important to me because if i can be located just by say, filming my self first person walking around, then it becomes a problem and it makes it hella lot easier for someone to dox me and find out information. but again, if you think this is off topic, i'll happily delete my messages and drop the topic

Again, anything is possible

It's a difficult subjects for us to help with, but I'm not even sure we have the right knowledge here to even answer it appropriately.

If you're worried about doxing then taking ANY kind of footage or the like is a potential threat

Anything you put on the net can be used to track you, that's just the nature of it

We've given an answer on this

Sounds good. And again, not trying to be a hard ass, but there really isn't a for sure answer we can give. We aren't dedicated security specialists. Nor do we specialize in location obfuscation

I'd say if you film yourself in any setting and publish that online, you're probably rather easy to track down anyway if someone is dedicated enough, and depending on how much other footage and information there is available about you. If you don't want arbitrary people online to draw any conclusions on your offline identity, you should keep them separated, including no pictures/videos of yourself or the things around you. My opinion.

yes i understand and appreciate your response .

Regarding what kind of pictures would pose how much of a risk for leaking your identity or location, as mentioned, it's hard to say. If you take a picture of a unique building that already has other photos online, google reverse image search might already yield interesting results, especially if you can combine it with other info available from the context, like state etc. But it's all guessing, there's no definite answer until it happens.

yeah thanks buddy

i'll have a look

background imagery of mountains and buildings led to location; levels of vegetation led to time of year; camo patterns and rifles carried by the troops led to combat unit and eventually the individual soldiers.

Recording a murder in the open isn't a great idea is it

not a great idea to murder some1 in the first place

Well its Africa

Don't justify murder, please

I shouldn't even have to say that

@ebon totem Would you mind suppressing the link by wrapping it in <>? The image that pops up on the embed isn't really something to have on the server

@quiet viper I've gone back and edited the message by surrouding the link with angle brackets; guess it doesn't retroactively remove the embed?

deleted the message and embed: search for "BBC Anatomy of a killing" if you're wondering what we're talking about.

Huh, it should

Either way, I appreciate the effort

wow

i didnt know u could surpress the link

You guys might consider changing your Facebook passwords (if you have any account) and also those of every other service where you might have reused them. Facebook confirmed to have stored passwords in plain text, theoretically accessible by every employee, for years! https://www.theverge.com/2019/3/21/18275837/facebook-plain-text-password-storage-hundreds-millions-users

Don't need to change your password if you don't have a Facebook account 😉

+1

https://www.reddit.com/r/dataisbeautiful/comments/b3sirt/i_deployed_over_a_dozen_cyber_honeypots_all_over/

"cyber honeypots" lel

just call them honeypots bro

reusing passwords 👍

Weird flex

"Don't need to change your password if you don't have a Facebook account 😉"

plz install your swipe cards properly ppl

where is that from

a building.

i did not do the install

A) it's upside down

B) it's not got the security screw installed

C) it's insecurely mounted to dry wall

question to B whats the security screw
question to A is that really so bad?

well the screw is hidden if its right side up

also insecure on the drywall as in they did a bad job or you dont like that its just on the drywall and not into a stud?

insecure as in you can wiggle it out

and by security screw i mean a special bit screw, granted they can be undone with just some melted plastic

but as it stands you can just take a phillips screwdriver to that, open it up and short the door lock system

failing that, if you wanted to be more cheeky, wiggly it off the wall to get access to the Cat5 running to it and get a raspberry pi nano in there and a micro switch

¯_(ツ)_/¯

it's not the worst piece of installation i've seen though

https://www.youtube.com/watch?v=IV2V_fdvZb4

that's the worst i've seen

tamper with the alarm, tamper alarm goes off, pull the fuse, put the fuse back in, the tamper state is reset

then you have full access to the internals of the alarm unit.

ah yeah if you are going to use a card reader that has a relay for the door built in to it, you prob want at least a mud ring and the security screw

lol why is the fuse right next to it

i imagine they assumed the alarm would be secure someplace that either requires you to break in to access it. of course its worthless if anyone can walk up and disable it before it can dial out

but imo card readers with built in relays are just dumb

because the relay def should never be on the insecure side of a door

yup

and yeah, the door card system (not the one in the picture) to the building with that alarm?

old school 1970's mag card reader

exposed.

pop the cover and short the electromagnetic lock

Why do school's have card readers

why not?

easier than keys

long term

plus tracked entry

yea

also can track un-authed attempts

Hm

Never seen a school with that here

say someone without server room privs trying to use their card on the server room

to see if it works

its a lot harder for someone to get fired and keep a working badge

keys are like

NOT security

at all

basically every new school around here has them

and a ton of cameras

But copyable mag cards are?

we are also doing some retrofits with new/more cameras and stuff for older ones

doesnt matter because you can disable the card

cards are just id numbers basically

so you just tell the system that card isnt allowed in

Lol I got two new and two 70s schools plus a few other ones idk the age of and none has cameras, card readers etc

Like at all

copying a mag card is harder than copying a key

you dont delete it out of the db. you revoke all priv and set it to disabled

you can copy a key from a PICTURE

that way the logs show who used to have it

yeah thats true copying a key is super trivial too

And you can copy a mag card by walking next to it

no, not a mag card

you need to swipe it

literally anyone can do it if your locksmish is shady

oic

you're thinking RFID or NFC

i didnt see the swipe area

the one i posted was RFID

But if I walk in the opposite direction it's like a swipe isn't it

i'm just used to saying swipe card

oh sorry i dont have my glasses on and didnt see he mentioned mag card

missing single words without glasses

You got some interesting eyes

https://youtu.be/37E7u1c7huY

keys are not security

i missed all of And you can copy a mag card by walking next to it

that was my 2nd attempt at doing wafer locks

yeah picking locks is pretty easy most of the time with some practice

nice

i have to do it occasionally when people lose keys

especially when i buy old hardware

Why are you picking so much stuff in that channel

Is that your break into stuff channel

that's my channel

all unlisted vids

But you got another one too don't you

That justinrocks channel or something

today i have to go fix an access control system, speaking of them

yeah, that's my phone account

also fun one: https://www.youtube.com/watch?v=YdkqaBxHTv8

NOT double locked

their db seems to have corrupted. its on an old dell r210ii server so idk how it got corrupted but infiniases server software seems to have a lot of problems

my double locked time is waaaaaaaaay longer