#cybersecurity

First of all, it leaks more than the fact it's being luks

Secondly and as I apparently can't tell you often enough, I never said that they do anything wrong, both of them use either of the stand of the art approaches to it and yet both of those have trade offs which should ideally not be required

Upon the verification thing, if you actually were into cryptography you would probably understand what I mean with authenticated, think about this

If you have any cipher text and decrypt it with a key, is there any way for you to know wether that key was the right one or your result is just gibberish right now( remember it might just be a file from /dev/random so the thing might very well just be random gibberish) but you always have to wonder is it the right gibberish and the methods of encryption which allow this are called authenticated ones. If you aren't aware of that this discussion about cryptography on disks is pretty much useless because that's the thing XTS does not do and LUKS does perform but with a trade off

Also the thing about verification

I know that XTS is not an authenticated method of operation for a block cipher, that's not a thing I think, that just comes from the spec of it

Aboht the serious issues on a day to day basis, the volume part for example could be pretty damn annoying if you're trying to LUKS a filled up volume don't you think?

And the header being damaged well that can also happen and be pretty annoying

About the "I'm not bringing up anything new" yeah I am not bringing up anything new about LUKS, I'm pointing out that it is not perfect, not that it is bad or wrong in what it is doing in any way.

And well, at least about Vera crypt i brought up something new for you

And even though I hate to repeat myself for the millionst time. I am not trying to bash on either Vera crypt or Luks, as I said so many times before, I'm trying to convey the point that disk encryption is not a perfectly solved problem which was my original statement and still stands

But as we apparently can't even agree on what authenticated means in a cryptographic way, my entire talk about XTS and what Vera crypt does wrong is indeed non sensical yes

If you ignore the details or as you phrased of "XTS this CBC that" then yes everything is fine as it is, stuff works and we are happy, but it it not a perfect solution of the details aren't perfect is it?

Also as I saw somebody typing before, if Scott doesn't say anything anymore I will stop now, feel free to cluster this channel with whatever you want again

Probably was me, I was typing and deleted message. I was just going to mention that full disk encryption is annoying because systems reboot and then ask for passwords for disks prior to the network coming online; rightly so, since authentication credentials are locked behind the disk. But that's annoying when it's eg your home network and the system rebooted because of a grid power issue, and I'm trying to remote-in from eg a cafe

That's a different kind of authentication, I believe nix was talking about verifying that the data you get once you have decrypted something is actually the right data

But in theory you could use ipmi or something like that to solve the remote bootup issue

Yeah, authentication is an experimental feature in LUKS2, but in real world it's not really a thing to worry about.

The only time it becomes an issue is if your hardware is failing, and at that point you have bigger issues.

You also would get file system errors and if you have crc checking in your fs you would detect data errors.

I imagine there would be some ways to attack a system by messing with the encrypted data and causing the system to decrypt invalid data, so I guess there are crypto systems that let you cancel the process if it detects that

So about authentication on FDR not being a problem irl, if you would simply read the article I told you so many times to read by now you would've seen that

"Encryption without authentication is problematic, not just because attackers can rewrite /bin/ls into a bindshell, but because unauthenticated ciphertext allows attackers to launch chosen-ciphertext attacks."

And chosen cipher text attacks can lead to breaking whatever you encrypted your things with

Which, at least to me, sounds like a pretty big problem don't you think?

oof
https://github.com/NAXG/cve_2019_0708_bluekeep_rce

@halcyon fractal Not an issue if you have an updated device. Most Android devices though... Ha ha ha ha..

android? wut?

bluekeep affects rdp, which is a windows thing

Ah, was thinking of Blueborne

i was wondering how you would get specific plain text results without knowing what key they are using to decrypt
looks like the concern is that you could copy blocks of data from one place to another on the disk. Since there is nothing securely saying 'this block belongs in position x', you can move data around and know that it results in something that isnt total garbage.

Hey, for school I need to write an essay. I want to to write it on computer science, more specifically security, but there's one little problem, I need to be able to test it. The problem is every time I come up with a research question that I like I end up not being able to test it. Do you guys have any suggestions of research questions or topics that I would be able to research? Anything would be helpful! Thanks!

Why can't you test the questions you come up with?

@stone saffron Why would you not be able to test?

so for example lets say I get interested in the general topic of hacking

okay so maybe I want to do something related to it

but I cant think of any experiment I can test

I need to be able to get data to analyze

Why would you not be able to use two systems to test whatever idea you had?

I'm just not following

I know it's not security, but the question should almost be in the format like "To what extent is file size affected by compressing data using the Lempel Ziv Markov Chain 2 Algorithm rather than sorting and compressing data using the Burrows Wheeler Transform and Huffman Encoding Algorithms?"

I need like quantitative data

to analyze

Let's go to #ot1-this-regex-is-impossible

could someone help me write a script that would encrypt a picture using both ebc and cbc, but would also keep track of how long it takes to encrypt using both algorithms

Do you already have a script which encrypts a picture using just one of those operating modes?

@tough rain nope

thought I found one online but it didnt work

https://www.quora.com/How-do-I-encrypt-and-decrypt-an-image-file-using-ECB-CBC-AES-encryption-or-something-like-this-in-python-using-a-program

Why didn't it work?

I tried copy pasting the code and I get errors

not sure what more to do

and yes i did download a tux.bmp

nevermind

tried running it in python 2

not 3

works now

oh okay then I'm glad you got it working

yep, thanks for the help 🙂

https://securityaffairs.co/wordpress/91338/hacking/lastpass-credentials-leak.html

This is why I recommend KeePass.

I also use KeePass. It's a bit annoying to use on mobile devices. Maybe I'm doing it wrong?

I agree

I had poor first impressions too cause the mobile app used to have a bug that crashed it and made it unusable. But that is fixed now

The iOS apps are shit though

With Android I just hope the prompt will pop up from the KeePass app to fill in credentials for me. When it doesn't, I switch to their keyboard and manually look up the the entry I need.

but typing 40 characters of alphanumeric vomit is... well... annoying

You don't type it

You shouldn't ever have to

The app has its own keyboard which has buttons that when pressed will automatically type the username or the password

I think it exists cause copy/paste has security concerns

Second and third buttons say "username" and "password" respectively

is there any service that works like shodan which scrapes all hosts automatically 24/7 by sending billions of requests and appending the results to the DB which users can then access, BUT instead of data about hosts/sites and certificates, has huge ammount of dns records in it's database.
dns resolver is not what i seek though

@tall haven You shouldn't be using the default keyboard to copy/paste, considering every app can see your clipboard... Which is why the other keyboard exists.

Ah, scrolled down and saw your response. D'oh

you want a reverse dns, something you can query an ip and get the domains that point to it?

@thorn obsidian What exactly are you trying to get from this?

hello

what are the differences between sha & sha2 & sha3

Good places to start? There are so many attacks and stuff that I don't know where to start

Nor in what "order" to do them

So if there is a guide/list or something, could you share?

@tight sierra attacks?

@thick flare https://en.wikipedia.org/wiki/Secure_Hash_Algorithm

thanks but im looking for quick summaries such as "the first one is faster and the recommended one is ...."

Did you click the link?

yes

lots of infos

It has quick summaries

it does

lol

Was there something more you wanted?

@thorn obsidian my English can be a bit rusty at times :/ I meant stuff like sql injection, xss, asp injection, etc etc. If there is a guide that covers most of the common ones

Or a good starting point, idk. There are so many things, exploits etc that it's hard if not impossible to google for them. Idk what to Google, mostly.

So I'm doing the cryptopals coding challenges right now and got to this one. I managed to solve it, so no problem with that.
Just why does the whole thing with the hamming distance and key length work.
I get that it is some kind of Kasiski Examination, but it just feels really unlikely to work. Anyone here that can explain the math behind it?

@lavish quartz You'd be a lot better off trying #crypto on freenode for in-depth cryptography questions

Hello, I have some questions on stdout and dllinjection 😄

anyone willing to help ?

You're free to ask the questions here anytime

Hey guys I'm writing a paper on "How does Electronic Code Book compare to Cipher Block Chaining in terms of data perseverance and efficiency?"

It's supposed to be 4k words

but I'm only at 2k

Does anyone have ideas of stuff I can add to make the paper longer and more concrete? Currently I have a brief overview of what encryption is, Block Ciphers, Block Cipher Mode of Operations, ECB, CBC, experiment info(I made a script in python that converts a picture to ecb and cbc) that looked at the images converted to see if there were any visible patterns, what the before section meant, further research opportunities, and conclusion

Have you compared block ciphers to stream ciphers and why you chose them to compare? @stone saffron

Whoops sorry misread the title of the paper, ignore me

So I'm playing Over The Wires, NATAS to be precise, and I'm at the point where I have to look for writeups because I have no idea what to do. Or if I do, it's wrong, or I can't do it properly.

Is that like, a bad thing? Becuase there is no "warm up" for it, like no lessons or anything, how am I supposed to look for something I don't know exists?

anyone here familiar with struct.pack?

ive used it a fair bit

whats up

@late hound

so i figured out the problem wasn't with struct pack

but im learning stack canaries/cookies

and have this weird thing but it's not really relevant to this channel/discord

would you guys say that a lan mesenger should use symmetric encrypton over asymmetric encryption or what do you think and why?

You don't use asymmetric over symmetric or the other way round, you'd use an asymmetric key to transmit a symmetric one safely and then use the symmetric one as asymmetric encryption algorithms are usually by far slower than symmetric ones

If you can you shouldn't build this type of crypto on your own but instead just use TLS 1.2 or even 1.3 if you have it available

@rose sparrow

Has anyone of you followed any of their lectures? https://www.youtube.com/channel/UC1usFRN4LCMcfIV7UjHNuQg

Are they good? If yes, what would be a decent follow-up? If no, what would you suggest I watch/read?

I haven't watched it, although the names themselves and the order in which they're sorted is certainly reasonable and from what I can see (I'm on mobile data on my mobile so I can't watch right now) the drawings do at least look subject related so if you're actually comfortable with the university style of teaching (aka these 1h-1h30 Min lectures and in your case no ability to ask the lecturer himself questions) it should at least be a reasonably good resource

@tight sierra

@orchid notch what would be an alternative, if there is one?

Like, books, or idk

Well I did read some books for a paper I had to write for college but they were all not in English so....

Heck

I'll stick with it for the time being

You can always just read the original papers as well

Know where I could ask in more detail, so to speak?

@orchid notch I doubt I'd understand them

You can always ask here, there are at least a handful of people who should be able to help

Well if you're enthusiastic enough the paper on AES should be, together with a resource on how a Galois field works, not too hard to understand

I'll give it a look after I've learned enough to actually read papers 😄

Is cryptography used often in security? Or is it like, the odd skill that might come in handy a handful of times?

Weeeeell

Most of the time when transmitting data you'll just say, throw SSL at it and you're fine

There are for sure a few projects like the SSL implementations for example which do require in depth knowledge of what's going on

I mean I think it's a nice skill to have

But I don't know what's used or not in sec tbh

I mean at my company we have a crypto solutions development which consists of a few people who build the cryptography shipped with OpenBSD who basically do nothing else that day so for me it can definitely be useful^^

I'm saying in a more general sense

I don't know what areas does the security/cybersecurity teams specialize in at my company

But apart from that group I've, even though we're a it security company only ever seen 1 bug related to something not trivially to Google related to crypto

Honest question

Can you enter in a security team without a degree?

I like doing ctfs as much as the next guy, but I mean, I want to know what my chances are, honestly

I feel like it's that kind of field where a phd/bachelor's (is that uni?) Is required

First of all, PhD and bachelor are fundamentally different, usually your route goes bachelor, master and with a bit of luck PhD

I know of at least one person in our CSD team who has a bachelor's degree in cs and he is one of the people mainly responsible for one of the VPN implementations in OpenBSD so it's probably beneficial if you actually want to do this on a larger scale, but as with most things you can in theory learn them yourself given enough time and resources, the questions is just if your employee will simply require a degree from you because he has no other way of "measuring your quality" or not

he does. Personal achievements/blog and certs

@rose sparrow would you guys say that a lan mesenger should use symmetric encrypton over asymmetric encryption or what do you think and why? - You're better off using Signal

Can you explain your use case?

@orchid notch as you might have guessed I'm not from America, so I'm not that familiar with degrees and such, so thanks for clarifying

Aside from that, time I don't have. I'm at the company for three months and it's like, either I convince them they should keep me or I get shown the door

(Is that like, a saying?)

Because I don't have a license I guess they want to make extra sure I'm not a waste of money, idk 🤷

A driver's license

I don't pretend to make it into the team in three months, but what can I do to at least get noticed?

@tight sierra just do your stuff, dont fuck up.

That's granted

But in the position I am now there's no way I can be noticed or anything

I've never worked before, I'm not good at social stuff

I don't know what to say/how to say it

okay, so now imagine it the other way around

ur the boss and u employ some random.

he already passed through your expectations during interviews and shit, right ?

soo... do You want him to be a monkey and do "special stuff" or just do his shit without whining about it ?

Actually I was hired after a course

The last day

so what?

Because again, not having a license is a huge downside

get one if u think its gonna benefit you.

I'm working on it 🤷

But the time to get it and the time I have at the company don't really match

I know I shouldn't race and be pushy. I know that much

But I also don't have time to take it slow

Look, You are taking it wrong.

this is how it is in the UK, i bet US is same.

You got 3 months to learn stuff.

They get 3 months to learn You.

I'm from Italy

But yeah, I know that

if they like you, and you like them, you stay.

so - its not a test - not at all.

Yeah but how can I show them I know shit if my position doesn't push me in any way?

(Not that I do, at this point in time)

I know it's a "feeling" period or whatever

I want to make something out of it

But idk how

I would focus on what can u get out of it.

instead of trying to please everybody.

Not that

I don't want to please anyone but myself

That came off bad.

You find weird methods of doing so.

I want to get into a team I like, learn skills I find interesting

But I don't know how to bridge that gap from my shitty position to something more in line with that I want

Well, You get plenty of skills that might be more attractive for any employer (current or future)

In dispatching? I don't think so

dispatching what?

Tickets

so like helpdesk ?

Yes

okay - so You are a part of a team, You have a boss, right ?

I've talked to him

Said he would ask around and see what he can do

You learn that coporate living - thats a huge benefit 🙂

But I feel that I need to show some initiative too

also, You are learning internal nomenclature (so this internal slang they have)

very often if any company is hiring - they hire internally first

so pay attention to that - thats it 😉

I'm doing it, I've asked a guy that works at the NOC/SOC if they're hiring and he said "idk, you never know"

So I guess that's a np

No

Well, try again in a month

dont be too pushy, dont piss people off.

Aye!

Thing is, I know a friend of mine will work there

So maybe I should wait more? Or less?

Like, should I even ask? Cause it looks like they have all the peeps they need

Heck

dunno really 😛

Heck

is there some sort of way to stop a surveilance software from recording what I do w/o uninstalling?

I've tried to search the process name on google but nothing showed up, so I can't just kill the proc

Ideally I'd want to reroute the packets, so that it doesn't show up as disabled, but idk if I can do it

just block it via firewall rules?

@tight sierra Not really, no.

You should never trust a system you don't fully control, btw.

@thorn obsidian I doubt I have access to it

@thorn obsidian and yeah, but I have to use it. And I'd want to do something productive for myself instead of twirling my thumbs for 8 hours

I'm applying for access to an API, and I need to submit a certificate along with the application form. This is the description: "Your x.509 certificate in base64-encoded format as a string". Does this uniquely describe a format for the certificate? The certificate we've received from the CA is in a binary p7b file. I've played around with converting it into different formats, and now I have a base64-encoded pcks7 file. But the description of the field doesn't mention pcks7, so I'm not sure if that will be accepted.

you'll have to convert it like you suspect

openssl seems to be able to do it

Yeah, but to what format?

x509 i'm trying to find the right command lol

theres a lot fo conversion types on openssl

Yeah. I also managed to get it into a format where it lists the entire certificate chain, but that's not a single base64 string, so I suspect that's not it either.

And I would think they don't want just the leaf certificate either.

terribly, i can find a p7b to pem, and a pem to x509

would that be enough?

Sure, whatever works.

I'll give it a shot.

openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.pem

thats to pem

Yeah, I ran that one before.

So I have it in pem already.

openssl x509 -outform der -in your-cert.pem -out your-cert.crt

that's to x509

if that doesn't work you could try pushing the entire x509 cert content through a base64 encoder

quite inconventient though

Yeah, I mean, they do ask for a base64 string.

yeah but i'm not sure if base64 is part of the x509 format or not

i haven't had to use it

I read this article and it just made me more confused: https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them

yeah

i'd just say try the second one for your converted pem file

try submitting it

and if it doesn't work, throw the whole text content into a base64 encoder

two tries are better than a google adventure lol

I ran openssl x509 -outform pem -in your-cert.pem -out your-cert.crt and then I got the base64 string of the contents of the file produced by your command in a "--BEGIN.." block.

I guess that should be what I want?

interesting

should be

might be just part of the format then

it is a suspicion though, hence why i said just try without manually re-encoding

because if it's already encoded, no need 🙂

Well, worst case scenario, they complain and I ask them to explain what they want.

true

Thanks for the help.

sorry i couldn't be more sure 🙂

No worries, I have a good feeling about this.

certs formats can be painful lol

Heh, yeah, tell me about it.

@tight sierra Where is this system? What do you plan on doing with it?

@thorn obsidian self study, play games on the browser

Who's device is it, though?

I'm at a company and we're remote on the client's network

not mine

if we don't log on to citrix we can't browse at all

every url we type redirects to the company's citrix auth portal

from what I can gather we are on citrix from the moment we log into the machine using imprivata

tried using a cheap vpn from the google chrome store, firefox's seems to be blocked but not chrome's, and it doesn't work

again my guess is that since we're on citrix if we route outside bypassing the company's proxy we can't do anything at all

Yeah, I can't assist in going around your company's device policy.

I understand

I do fuck all all day, so at least I should be productive for myself, but everything is blocked

even github.

blogs and such.

That needs to be addressed with your company's HR department, IT department, your supervisor, or whoever makes policies there. This is something we will not help with

@tight sierra

@quiet viper I understand, I know it's illegal/immoral but it was worth a shot

I hope I didn't come off as an asshat or anything

A little brusque considering one of our staff did say we can't help, and we do have such things listed on our rules (which you might want to refamiliarize yourself with)

rule 5 specifically

!rules 5

yeah I was just explaining why I want to do it, I know I won't get help, and that's completely normal

I don't want to cause any damage to anyone, really

I hear you, just doing my due diligence

as you should 😄

again, I'm truly sorry @thorn obsidian and @quiet viper

Hey
What library is the best go to for encrptying passwords

I need to save an encrpted file in a extrnal txt file, import and decode it in my code, then pass the descrypted code to a odbc connection whichout every "seeing" the password in the output code log

@tacit lance https://werkzeug.pocoo.org

https://werkzeug.palletsprojects.com/en/0.16.x/utils/#module-werkzeug.security more specifically

Which, you're not encrypting passwords, you're hashing passwords. Encrypting implies it's reversible 😄

Reversible is necessary as I can pass the unencrypted str to the odbc SQL connection I am using it for

You can very easily use https://werkzeug.palletsprojects.com/en/0.16.x/utils/#werkzeug.security.check_password_hash

Wait, is this to login to the SQL DB or something?

@tacit lance So you're needing to use this to login to the SQL DB?

Yes, I am pulling data from an oracle SQL connection and can't have the password in my code so in the connection string it can't be encrypted

Ah, then you'd just use environment variables

What is the best password hashing scheme?

I've seen so many articles saying it is either scrypt, or bcrypt, or argon2 and I would like to know what you guys personally recommend

argon2 https://passlib.readthedocs.io/en/stable/lib/passlib.hash.argon2.html

but pbkdf2 is easy on the gpu and on asics

So first of all pbkdf2 is not a hashing function, it's a key derivation function which can be fed any hashing function as a parameter

So if you were to use pbkdf2 with sha256 then yes it is easy to compute lots of those on asics, wether you're gonna be successful in a short amount of time is still doubtable though

And for the question what's the best hashing scheme, many of the SHA algorithms haven been broken yet, there is as scoff pointed out argon2, there is bcrypt and many more, I don't think there is a best hashing function out there, it depends on your needs and probably a bit personal preference at times

I believe the standard is pbkdf2 with bcrypt

BCrypt is pdfk2 with some changes in reference to computational power I think

Bcrypt is an enhanced version of blowfish

pbkdf2 is HMAC applied in the pbkdf manner

There's bcrypt-pbkdf, which is bcrypt applied in the pbkdf manner, which I've used previously

Ah

does anyone know where the sbl event powershell logs are stored?

he is asking for a hashing scheme, pbkdf2 is just a method applying a hashing algoirhtm you can freely pick so basically youre saying, the best hashing algorithm is this algorithm plus pick the best hashing algorithm

that doesnt make any sense

yes and if you wouldve read it you would know that

is a part of the standard

its only as strong has this hash function

i mean its right at the top, you should know that its not a hashing shcme itself then

well then you actually do know its not a hashing lagoirhtm itself and still recommend it as one, thats pretty weird

what mac sets as a default does not change that its not a hashing algorithm

im referring to the definition, youre referring to a certain implementation

thats not gonna work out

@thorn obsidian where did your messages go lol

can somene use my bluetooth headset to try and pair with my phone, something like a bridge

?

cause my phone is hidden from all devices except the ones it's paired with but I still got a pairing request from a galaxy s8+

which I swiped away, refusing it, but still.

pong me if you have any insight, cause now I'm just v spooked

you can in theory still talk to a bluetooth device which is in undiscoverable mode by two ways

1. either you already know the full MAC address of the device and talk to it directly
2. you sniff for traffic going out from the hidden bluetooth device to already connected devices (like for example your headset) and by that get its MAC address which leads us to possibility number 1

should I be worried?

well I would be quite curious as to why they would go through the effort of finding the MAC address of and connecting to an actually hidden device

but its gonna be fine

🤷 that's what I want to know as well

either they're spamming, or idk

thats not how it works

like I haven't got other pairing requests after that one

no yeah I mean, they might be trying random devices they happen to find

idk

it came from a phone tho, so how would they sniff?

that would be the next interesting question

still they have to be in the same like..uh..thingy as me

right?

train car

I mean technically there are devices which can go 200 m+ but id doubt they have one like those

🤷 apparently it's an s8+

but I mean, for all I know it can be anythinf

if they can already sniff nothing is stopping them from pretending to be an s8 lol

btw id like to correct my previous statement

400 m

yeah, that's what I thought

well seems like I received no files, so like 🤷

but again, they might be able to hide them

@tight sierra Few questions come to mind. Is your device up-to-date?

@thorn obsidian yes, as far as I can see

If it's Android, what's the Security Patch Level?

1 aug 2018

That leaves you open to quite a few issues. https://source.android.com/security/bulletin/

I don't believe that includes BlueBorne, but there may still be something Bluetooth-related in there.

That moment when blocking use-application-dns.net disables DoH https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet

@thorn obsidian Hm, any way I can update to the latest one?

as you ca see EMUI says my system is up to date

only method would be custom roms as far as I can see

yeah most android devices hang behind some security levels usually, the update I did to my s7 last week got it up to first of august

1 of august this year though

yeah, my OP6T is on August as well

heck!

can you use python for hacking?

of course you can

how does one download things from the internet safely

got a link to a google drive, and I'm kinda nervous about clicking things

You can do research. How credible is the source. What do others have to say about whatever this download is.

You could also download it in a sandboxed environment

and is there a SHA

?

you can verify?

oops, wrong convo?

Looking for a developer that would like to work a current python security project

https://github.com/TechnicSmile/S-Kit

Want to finish it up

And if anyone here is actually interested shoot me a dm

@tall haven so how does one sandbox

A VM I suppose, but I'm not really qualified to give advice on that

In terms of how secure and sandboxed that would be, etc

alright thanks

just don't trust random people on the internet telling me to download files from them

wisely so

@thorn obsidian I'm not any good, but I'd want to snoop around if it's not a problem 😄

thats fine

just looking for a couple of ppl to get

this was my first proggraming project

and want to actually fix it

so it works

😄 nice! I want to read it a bit

if that interests you I can add you

also the code is shit

so dont get scared

no prob

I'm designing RPC system, how could I prevent untrusted servers from sending commands to other servers?
I use redis as broker, so untrusted server agent can get credentials and run client, sending commands to the whole network, how do I make all other servers ignore these requests in this case?

I need my server network to be able to understand my client, but not have enough data to be able to manipulate other servers

SSL TLS

Strong usernames/passwords. See Bitcoin

@tight sierra In regards to updating - it depends on your device and if it's supported by a third-party rom like LineageOS

If you opt for something like OnePlus, I'd suggest not keeping on stock if https://twitter.com/fs0c131y/status/930115188988182531 bothers you 😄

@thorn obsidian Hey I may be interested. I'm working on a security project of writing my own RAT right now with a group of guys. Maybe I could contribute or at the least point you in a better direction of how to handle some things for this beast you got?

Super cool

Always open to ideas

How can I handle JWT authentication, since I can't put the user's password in the token, how can I validate it? 🤔

Also, how should the client handle token expiration, should it even expire?

according to https://blog.logrocket.com/jwt-authentication-best-practices/ the token is generated by the server and sent to the client, then the client submits it with every request. you dont need a password stored in the jwt because the jwt itself is already trusted

though they also recommend that you dont use it for sessions

looks like its intended that they are used like kerberos tokens. a server generates the tokens and clients pass their token around to multiple services as needed. when used this way its a form of single sign on. as long as you validate the signature then you know it was your server that generated the token.
if you just have a single server then its not really better than regular sessions.
as far as what you put in it, since your server generated it and you can verify that, you can just put stuff like the user id, date it was created, date it expires etc in it.

if the client notices the expiration date is getting close it could request a new token automatically as well

please don't use jwt for sessions

that should be handled by your session handler, not jwt

"session handler" ... what's that?

so http is 'stateless', meaning each request doesnt know anything about any other request.
to deal with that you generally use cookies.
the client will send the cookies along and you can check them on the server
most web frameworks handle this automatically and can map a set of cookies to a set of data on the server and load that on every request
this lets you keep stuff the like user_id they logged in as on the server, that way the client cant just change it to another user in their cookies
the session handler generally controls all that stuff and is part of your web framework

When I was reading the documentation for Tornado it seemed to me like a session handler is a Giant Flobbing Mess and Tornado itself doesn't really have much in the way of session handling

could be, i dont think people use tornado a lot these days compared to flask and django

yeah it looks like their 'session management' is just a cookie manager

not quite the same thing

hi, is anyone here good at RSA challenges? im stuck and without help in #help-orange id really appreciate some help 🙂

I want to start working on a python password manager
My idea was to have a long list of random passwords in a text file
And whenever I would create an account I would run the program and it would randomly select a password and enter it
Ie ./pypass -R http://websit.com/
But I would also use the program to loop through the contents of the password file to log in
So ./pypass -L http://websit.com/
Where it would try each password into the form and log me in
Do you guys have any recommendations about the way to do this?
I'm most likely going to be using requests, but I would like to tor-ify the login attempt as to not send my passwords in plain text

@jade juniper You'd be better off using KeePass, Bitwarden, LastPass, etc.

The podcast Darknet Diaries is amazing, especially this latest episode, 48.

It's on Spotify, and great for security.

@jade juniper Like @thorn obsidian said, you're much better off using a password manager for thing like this. The method you're describing, including the tor-ify part, sounds awfully like a (naive) brute force attack and, even if your intent is not malicious, any actualy code suggestion are usuable for malicious purposes by anyone who's reading our server. In that light, we don't allow discussion of your question per rule 5 of our community.

In addition, I've just removed your question from a lot of different channels. Please don't spam questions across multiple channels like that; it's very disruptive and you basically claim multiple channels for yourself.

lol... "hey guys, how can I write a dictionary-based brute force tool which can use tor?"

had me chuckling a bit

lol

i just popped down to see what's up and that quote will do

What is a good Wireshark-like app for Android?

capturing or viewing the traffic on Android?

@thorn obsidian Capturing

I know there are other ways to do it, but I want to do it specifically on the device itself.

tcpdump on the device, adb/ssh/similar to pipe into wireshark on pc?

tcpdump, on Android?

why not?

or, I was going to ask

do you have root

(but, yes, tcpdump on android https://android.googlesource.com/platform/external/tcpdump.git )

Yes, and this looks painful.

i mean

i don't see how it's any more painful than running tcpdump on a regular linux client

you can download precompiled arm binaries

@thorn obsidian Where are the precompiled binaries? Latest one I can find, which looks to be third-party, is two years old.

tcpdump from two years ago should be relatively up to date. in any case, i recall it being fairly easy to compile

https://www.tcpdump.org/#latest-releases - Latest release was done September 30th, though.

Surprised there isn't an up-to-date version on the play store or f-droid 🤔

soooooooooooooooo

we got a 3rd party to do a pen test of a site for one of our customers

report isn't great, but it's mostly the people hosting the site (not our problem)

the report states that they weren't able to gain any information about the server the site was running on because it's behind an nginx load balancing proxy

nginx is spilling its version number out, sure

however

you can actually find out that the server behind the load balancer is on apache 2.4.10 (2014) by attempting to access files that exist but you don't have permission to view

time to write a report on a report

-.-

https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/version_id-177881/Apache-Http-Server-2.4.10.html

i mean there's only....

22 CVEs

and only 4 greater than 7.

Hooi! Can anyone give any tips on what would be something challenging but accessible that I could implement into a sec pocket knife kinda thing?

accessible as in, has tons of resources

anything network related would be nice ✌ but other stuff is nice too! They have a mail spammer, a tcp server (?), a port scanner and a dictionary pass cracker 🤷

i dunno what you're really asking for

a toolkit?

yes

they want to make a toolkit using python, and I thought it would be nice to add a module

idk what to do, so I'm asking 😄

uhhhhmmmmmmm

i want to be careful with what i say in case it's uhhh

bad

🤷

since tools can be used to do, bad

but saaaaayyyyy

you had a way to send a http request to a site

and pull the version of web server it's on

you could then use that info to generate a list of CVE's of that version of the leaked information

like i mentioned above with apache

does that make sense?

yes?

cool.

I'll figure out how to do it 😄

if it is possible

it is.

for example, in my image above

i know you can with google queries

the website above i know runs wordpress

xmlrpc.php usually exists in the root folder of wordpress

but is usually heavily locked down

BUT

that forbidden response is showing me the apache version

since they haven't configured apache to not leak info

👀

using "apache 2.4.10" you can search a CVE database

scrape that data to create a list of CVE's

you must know what the website is running on tho

that's not hard

or not

that's publically available information, usually

nah a 404 wouldn't lek

leak

also sites usually handle 404s

by displaying a custom page

if they've configured that, yes

Wordpress usually does that itself too

however, for example, i took a random website and just viewed page source

WooCommerce only runs on Wordpress

yeah but that's assuming they're morons

dude...

you have no fucking idea

:D:D:D

😡

no I don'ti

i know a school is vuln to asp injection

people are really bad at some very fundamental bits of security

so like.

so say, I make a http request and then a webcrawler to search for uh.. version numbers

does that make sense?

yeah, that's doable

shouldn't be too hard

I wonder if there's a simpler way tho

¯_(ツ)_/¯

this way is uhhhh

very not naughty

because it's openly available information

🤔

I shall tinker

i wonder if @thorn obsidian is about

wait is there a naughty way to do it?

there are naughty ways to do lots of things

i don't want to go into them

:3

fair

they involve doing things which may be considered illegal in some countries

the toolkit is for educational purposes

but yeah

this is hard enough for my pea brain

i still can't believe we paid £1.5k for a pen test and they entirely missed that massively out of date version of apache

page 8 of the report saying "it's good that blah blah returns forbidden!" with a screenshot

and the screenshot contains the fucking apache information

grrrr

meh, I slightly disagree. While it should've definitely been included as a finding, it's a good thing that they actually put some sort of effort into manually testing the target instead of just a report full of scanner output

also, when we're conducting pentests, we usually ask for the exact versions of the software we'll mainly be dealing with

a true black box test is rare

most of the times, we have access to the code as well though

Isn't that, pointless?

what do you mean?

if they want to simulate a real attack, they should do it blind

I don't get companies that are like "no you can only test this, this, and this"

a real attacker doesn't care

companies usually just want you to identify vulnerabilities, a pure red team scenario also happens but is rarer

oh i'm not ripping this report

it's excellently written

i'm ripping the fact they missed a very clear piece of info

uh

it wasn't out of scope

what's the point of scopes tho?

what do you mean?

Like, uh, what if you have a vuln that's outside the scope?

If you can stumble upon it, sure, report it

but don't go actually putting much effort into stuff that's out of scope

if the scope is "hey, check out our active directory shit"

I'm just curious, pentesters seem to bitch about scope a lot and I don't really get why

reports cost as much as how many hours you want to be put into it, and as a company you don't want that time/money going to waste

so you limit it with a scope

also

yeah but it's not going to waste if they simulate a real attack imho

nah

Hi! Everybody, Im here to learn.

👋

f.ex we have a financial company that runs some seriously mission critical stuff

hello

they DO NOT want people poking that

during a pen test

I'll appreciate if you help me from beginning on hacking

er.. you let people test in a prod environment!?

EXACTLY my point

scope

:3

using an uhhh

fuck what's the word

I mean, uh, they break it

means people with less good intentions won't

idk, but if you have a pen tester in your office to check your active directory shit is all in order

you can't just go fucking around with what ever you want

etc

Yeah, I get that

what I'm saying is: scope is useless because a real attacker doesn't have a scope

so yeah, you may "pass", but the scope is so narrow you may have a thousand (not really) vulns outisde of it

https://blog.pentesterlab.com/scoping-f3547525f9df

have a read

I shall 😄

Hello, you have found my first message. Congratulations, have a 🍪

But I'm aware of the security risks opening it up to public

What would you recommend my to switch to?

@lusty flare so I've been trying to what you suggested by hand, just to see if I could find a pattern. But I can't really find anything

Any suggestion as to what I should be searching for?

@tight sierra They have a Who does?

yuck

scrape a site

and process it with like uhh

BS4

and look for specific values

woocommerce

other stuff related to wordpress

etc

@jaunty kayak Apache or Nginx?

@tight sierra Asking about https://discordapp.com/channels/267624335836053506/366674035876167691/629968542787436544

Not sure what you mean by this: they want to make a toolkit using python, and I thought it would be nice to add a module - They who?

@thorn obsidian uh, people. They asked on this channel too if anyone wanted to contribute. It's for educational purposes

is it like, illegal?

cause I truly don't know, I assume it's not

I know this is a discord group for python but since there is a channel here of security I wanted to ask I heard that for cybersecurity it is good to know the programming language by the names ruby,c++,c,assembly someone know why?

what do you mean? 🤔

Ruby is good for Metasploit if you get into Red Teaming

C and Assembly are good to know if you get into low-level stuff as you need to know how memory management and other core low-level concepts function

Interesting thing I learned about spectre and meltdown mitigation in cloud on linux the other day: As Linux takes a close look at the exact CPU model in order to decided if and if it wants how to mitigate for those vulnerabilities youd actually have to use the exact same physical CPUs + CPU IDs inside your VMs for your cloud infrastructure as if you scale up and suddenly run on another CPU, even if its just a minor other version, linux could do things to it that make the system crash because its trying to mitigate spectre for another version of that CPU which is the reason that interestingly enough a few cloud providers actually do not mitigate spectre and meltdown at all on purpose in order to guarantee more stability

alternatively of course, the CPU type in the VM is just faked to something else and the linux kernel doesnt even think about mitigating for meltdown and spectre as it doesnt thing its running on intel CPUs while in reality it might actually just be doing that and might still be vulnerable to those attacks

really interesting

We have a watchlist keeping an eye for ping.exe followed by delete. The latest occurence occurred in the Pillow library. What is the purpose of a loopback ping followed by a file delete for legitimate uses? (I'm very curious so if anyone has an answer, can you @ me?)

        def get_command(self, file, **options):
            return (
                'start "Pillow" /WAIT "%s" '
                "&& ping -n 2 127.0.0.1 >NUL "
                '&& del /f "%s"' % (file, file)
            )

https://github.com/python-pillow/Pillow/blob/master/src/PIL/ImageShow.py

I've been trying to find out why developers do this, but I mostly get google results on how to delete malicious versions of ping.exe

@burnt sleet windows doesn't have a Sleep command in its command prompt, so a hack/work-around is to use ping to simulate it

https://stackoverflow.com/questions/735285/how-to-wait-in-a-batch-script

Well shoot. I figured it was that simple. Alright thank you!

disclaimer: this is for educational purposes only, so like 🤷

by sending an http HEAD / HTTP/1.1 using curl --head www.site.domain I can almost always get the webserver it's running on, and rarely the version

is there a better way to get them, and to ensure (or at least increase my chances) that I get the version too? Generating errors doesn't work, as most sites either have a custom error page or configure the webserver so it doesn't leak even on stock pages

@tight sierra educational purposes doesn't protect you from breaking a website's ToS or anything like that.

I mean it's not breaking the ToS if it's public information

it's not my fault if the http header shows it, I'm not breaking anything

literally anyone can press f12 and find out

I'm talking in general, and that's not how a ToS works.

I mean if it's public info, then it's ok?

I don't want to do anything malicious :/

It's more something we won't assist with on the server, to cover ourselves.

Aye, that's fair 😄

!rules 5

Eh.. Should have shown the rule. Either way, it's We will not help you with anything that might break a law or the terms of service of any other community, site, service, or otherwise - No piracy, brute-forcing, captcha circumvention, sneaker bots, or anything else of that nature

No yeah I read that

I just didn't think this was illegal or anything like that

I might be naive tho, so I'm sorry :<

It might not be illegal, or even against a ToS, but it's more a heads up in case it is - as I have no clue which site(s) you're looking at.

I'll be more careful next time 😄

it's kinda hard to know what I can ask and what I can't tbh, feels like security is just bound to get you into trouble, sort of

Welcome to the world of exploit hunting! 😄

The index now starts at 0, so it should be this

!rules 4

I lied, idk what it is anymore

!site rule 4

This one lol

Gotcha, appreciate it @wanton rune 👍

When you use a digital certificate to sign a PDF, is the certificate itself embedded in the PDF, so the receiver can verify the signature without having to get ahold of the certificate out-of-band?

as far as i know, certificates are not embedded

which is why the pdf signing certificate selling business was lucrative at least a few years ago

when i've self-signed pdfs, it has always said "Could not verify signer identity" etc

@spiral iron

https://stackoverflow.com/questions/56530797/need-advice-on-checking-signature-certificate-of-a-signed-pdf-using-java I found this thread, and it kinda looks like the snippet in the question is extracting a certificate from the file. But maybe I'm misunderstanding.

And, if not, how does verification generally work? You download the certificate from somewhere and load it into the pdf reader?

you are given a certificate which is trusted by a CA (which has to be in the CA certstore), which you can then use to create identities and sign shit

CA can revoke trust from a certificate at any time

oh, wait, i'm dumb

yeah, the certificate used to sign the document itself is embedded (or at least accessible some other way)

whether that cert is trusted by a CA or not is something else

or, wait

damn, I don't even know

should be fairly easy to just experiment and find out though

sign a pdf and open it up, see if it appends the cert as well or just the signature

It feels like it would make sense for the signing cert to be embedded in the PDF. It's public anyway, and it would be convenient for the verifier to not have to acquire and load it manually.

But yeah, I guess that should work.

can I about fuzzers there or ~software-testing?

would the key space of vigenere be 676?

Working on an XSS Automation tool for Hacktoberfest if you are looking for a security-centric project to get some PRs into. Please try to make them useful as I've already gotten one with just capitalization.

My focus is the DOM injection where you would parse a webpages source and actually inject with selenium there and test for XSS that way. Currently XSStrike only tests in URLs which mine does as well. There are 575+ payloads so if you're interested in adding more of those that would be appreciated as well!

https://github.com/M4cs/traxss

I have a secret TOTP key, and I need to generate a password with it - I found PyOTP, but I need to use a different hash function to the default, and I can't figure out how to to it. Any ideas?

https://github.com/pyauth/pyotp/blob/master/src/pyotp/otp.py#L12

so when you create a TOTP object

specify digest as a keyword arg

default is hashlib.sha1

youll need to import hashlib and find the corresponding hash function

@daring sedge does that help?

yes

Thanks

I looked at that file and missed it - my brain isn't operating very well

You have saved me from the reference Java implementation

lol

Hey, I am writing my own Alexa app. I wanted some advice on how to securely store, and read passwords. I am looking for a solution that allows me to decrypt the hash from my database back into the raw string. I don't want to simply check that an input password compared to the hash is True/False. Any good libraries for that?

Bcrypt

decrypt the hash from my database back into the raw string.
Why?? That's terrible practice. You should always use cryptographically secure hash functions to make sure it can not be reversed. Otherwise if your database ever gets compromised, all passwords will be leaked. Also encryption needs a key.

@hushed sierra that beats the entire point of hashing

if you can reverse it back to the original string, so can the potential hacker who has gotten a hold of your password database

What's the best way to find the repeated XOR key in a file? The only thing I am aware of are the 16 first bytes of the file when XORed.

Then what's the best way to store and use credentials made for a user that the user themselves dont actually use? It's only the server using these passwords.

what do you mean by credentials the user doesn't use? can you explain what you want to do in a bit more detail, please?

So to link the Alexa user with a 3rd party account, alexa tells the user to make an account in the 3rd party server with the alexa username and a short randomly generated password (think bluetooth paring process) if connection is established with th short password we know the 3rd party account belongs to the current alexa user. The short password is weak though so the 1st thing alexa tries to do with this newly established connection is update the 3rd party account password to something stronger. It's this strong password I want to store and keep using so that the user doesn't have to go through the pairing process over and over

Dont need an answer on this anymore. I am going to use AWS parameter store secure strings.

https://www.wired.com/story/twitter-two-factor-advertising/

https://threatpost.com/apple-itunes-bug-bitpaymer-iencrypt/149075/

Whats the best practice for secure socket connection between 2 devices on the LAN?

for example to socket.send data from one device and receive it to the other one and vice versa

so someone can't MITM the data?

Thatd be using TLS/SSL for your sockets

@thorn obsidian social media companies arent all evil though, for example currently the german government is trying to prevent facebook from encrypting more user data because then they cant recover it for use in lawsuits (and maybe other things who knows 😉 ) anymore

@orchid notch You won't find me defending social media. There's too many instances of abuse.

^

How you gonna defend Facebook after all the shit they got busted for.

Now that is very true

https://venturebeat.com/2019/10/11/ai-weekly-in-china-you-can-no-longer-buy-a-smartphone-without-a-face-scan/

After December 1st*

:incoming_envelope: :ok_hand: applied mute to @short rain until 2019-10-15 00:35 (reason: role_mentions rule: sent 4 role mentions in 10s).

https://thehackernews.com/2019/10/linux-sudo-run-as-root-flaw.html O O F

Love me some doas

doas?

sudon't

also, this vulnerability, while still a pretty huge vulnerability, has some pretty specific prequisites, making it more of an edge case

definitely update nevertheless

@thorn obsidian Is this a example of why (I think it's you) Says sudo doesn't matter? Just make sure you have proper root use?

Actually nowt that I think about it, I don't know if that is you

I didn't say it doesn't matter. I said that I don't tend to recommend sudo to people who are new to linux and don't know the difference between su/sudo.

Not sure if that was the exact wording I used ( doubt it ), but that was what I was trying to get across I believe.

To people who are new, I don't think it matters to them, sure. But I don't have an issue telling them if they're interested.

i can't say i agree

Sorry that's what I meant

¯_(ツ)_/¯

It's more to reinforce that root isn't to be toyed with.

https://thehackernews.com/2019/10/android-kernel-vulnerability.html

( Not a zero day anymore, was posted on the 4th )

it's still a 0day :p

@thorn obsidian doas is the openbsd more or less reimpl of sudo in their spirit of, trust no code that is too complex, instead write your own

I dont think Ive seen a single program which is used in other distros (apart from basic unix tools like bash + vi + the POSIX tools) which OpenBSD has and did not rewrite

doas, fdisk, their weird SystemV mutation as init system

@orchid notch Huh, that's the exact opposite of most recommendations I've seen. As in, don't re-invent the wheel 😄

https://www.schneier.com/blog/archives/2019/10/factoring_2048-.html 20 Million qubits.

BSD always reinvents the wheel

Always

And usually they're right

Or at least their stuff isn't usually vulnerable

Looking at you heartbleed

Would anyone recommend a different hashing method?
Im making something and currently I am going to use sha512 and salt the password using the current epoch. I could also use a users personal id to salt the password as well I guess
Any feedback would be appreciated

Doesnt need to be super duper secure, its more for self learning and the ethics of securely storing passwords but still

Want to start python for security

@civic widget salts should be fairly long

I'd keep them over 16 chars just in case

timestamps are quite short (I'm guessing that's what you mean by epoch)

Yea the epoch time in seconds

But alrighty

no, that's the timestamp

the epoch is just the point of reference

unix epoch happens to be 00:00:00, the first of january, 1970

the timestamp is seconds elapsed since the epoch

True

the first of January, 1970 is called the seed, isn't it?

no, it's called the epoch

yep my bad, it's because when generating random numbers on UNIX, the seed is the epoch 😉

again, no

if you used the epoch as the seed, you'd get the same random number every time

because the epoch doesn't change

it's a constant value

well timestamp since the epoch to be precise then

Hello is there any book, video tutorials or website to learn properly security with python ?

@civic widget Don't use dates/times as salts. They should be random.

I've seen recommendations that salts should be at least the length of the password.

Alright

But that may have been a while ago, and if the database was compromised would lead an attacker to knowing the length of the password. Not sure best practice on this, but a minimum of 20 characters sounds right to me.

I'm storing the salt with the password as well so idk if that's a good idea

What is this for?

It's more for self learning and good ethics for storing passwords but it doesn't have security requirements. It's just a program for someone and I wanna make it better rather then work off the auth system

Would you say, a random string of ascii and digits would suffice for a salt?

Alright, so how are you doing the hashing and all that?

Hashlib and there sha512

... Oof

Not sure of better ways rn

Yeah, don't do that

Hence why I'm asking

https://passlib.readthedocs.io/en/stable/narr/quickstart.html Check this out

While Argon2 is much younger than the others, it has seen heavy scrutiny, and was purpose-designed for password hashing. In the near future, it stands likely to become the recommended standard.

So, should probably go with argon2 then

I'll dig a bit deeper

Read up on their documentation. I'm by no means a crytographer, so take everything I say with a grain of salt 😄

I'll have a look around anyway

And I'm thinking of it sorta like, I don't need massive security or whatever for the application. And anything is going to be better then how it's currently done 😅

Passlib is pretty trivial to setup, and to my knowledge argon2 is the goto.

Dealing with good enough is what a lot of companies have done, and that's how hacks happen.

That's a fair point

Thanks anyway dude

No problem. If you need any help with anything security-related, don't hesitate to ask 👍

👍

how to protect ur python source code

and how to encrypt it

You can't really.

All you can do is obfuscation to whatever degree you feel necessary, but in the end the interpreter needs to be able to decipher it as valid code.

I mean, it's kinda the same even for compiled languages, but interpreted languages are particularly hard to protect beyond running an "uglifyer" over them that renames variables etc to make it look bad for humans.

lordy

https://twitter.com/Sta_Light_/status/1184475413252210688

How exactly does that one work out

thx @tight abyss

what you guys do for obfuscation?

not write python :p

@thick flare You don't

If you're trying to obfuscate Python code, you can put as much as you can on a server and then have the client do as little as it needs to get the job done. But that doesn't work on a lot of applications 😄

@thorn obsidian I've seen a hundred different reasons.

None outside of the server/client model that work on Python

Nuitka will convert your Python code to C code which can then be compiled and obfuscated the usual way...

I've already decided I'm gonna hit the ground running here, what do the people of this server do for data sanitization? To me it seems best to omit certain characters that could be used in a table command

(For clarity, I use sqlite3)

@eager cave data sanitization, as in to put into an sql db?

Any of your frameworks should already do this for you.

Huh, I didn't realize that, I'm fairly new to database handling since I'm doing my first project relating to it, but I appreciate the answer!

Flask/Django offer this. What are you making/working with?

SQLite, using the Python library sqlite3

I mean, you're not using anything else? No framework?

I'm not using anything else like Flask/Django

I mean, if it helps, I use discord.py for input

https://techcrunch.com/2019/10/21/nordvpn-confirms-it-was-hacked/

@eager cave I'm not sure what you're doing with Discord

Thought this was a web app

Aaaaah, not sure where I'd describe the project, but it's a Discord bot that uses sqlite3

Everything Discord gives you should be escaped already, I would imagine.

Alright, sounds good then

Quick one, I'm new to this and just made a twitter bot. I want to automate it on Amazon AWS, does it matter that my spotify and twitter API keys are in my code or is this system secure?

@idle yoke it's generally a bad practice to hardcode secret keys in your code, because it will require you to create an entire new release in case you need to invalidate one

what people are generally doing is to read the secrets from environment variables

Thank you, I'll have a read up on that before uploading online

you might want to check this : https://12factor.net/config

@thick flare Python is mainly a language for open-source stuff

If you want to hide your code, don't use Python but something else like Java, C++, etc

Hey guys, I'm coding in c#, and I'm wondering, if I have a string (e.g. Database connection) stored in my program, can some one find it with memory scanners?

Well a dB connection isnt a string but yes

Sadly

yes indeed

https://www.zdnet.com/article/swedish-police-cleared-to-deploy-spyware-against-crime-suspects/ Sweden's police force has been granted new powers this week, including the ability to deploy spyware on suspects' devices to intercept encrypted communications and turn on microphones and cameras.

@hazy maple If you want to use db into your program

You should better make a REST API

So that you only make a http request with the give credentials

and then you get the error/success message back

ok thanks, i'll look into it

@spiral turtle Proof?

the news?

You didn't link anything

You mean, the link I posted? https://techcrunch.com/2019/10/21/nordvpn-confirms-it-was-hacked/?

That says nothing about NordVPN launching a DoS on TorGuard

``It’s also believed several other VPN providers may have been breached around the same time. Similar records posted online — and seen by TechCrunch — suggest that TorGuard and VikingVPN may have also been compromised.

A spokesperson for TorGuard told TechCrunch that a “single server” was compromised in 2017 but denied that any VPN traffic was accessed. TorGuard also put out an extensive statement following a May blog post, which first revealed the breach.

Updated with comment from TorGuard, and again with additional comment from NordVPN.``

@south yarrow ?

What the fuck you pinging me for

Im trying to hack trump over here

( and before someone takes me serious I’m obviously joking )

Ah, I thought you were serious

🤔

It was because you had posted a random emote in channel, and was curious as to why.

Perhaps I had missed something

Also, let's not joke about hacking people.

@spiral turtle Those probably are only suppositions

Do not forget the difference between facts and rumors

It was in response to the nord crap

It was just hilarious how it happened almost a year ago

And just recently coming public about the situation.

And many others in fact.

¯_(ツ)_/¯

Better to setup your own VPN if you're using public networks, honestly.

@noble pewter rumors or facts it was still amusing to read

True 😂

IDN Homograph attacks:
https://www.аррӏе.com/

Firefox users can limit their exposure by going to about:config and setting network.IDN_show_punycode to true.

https://www.bleepingcomputer.com/news/security/discord-turned-into-an-info-stealing-backdoor-by-new-malware/

https://speakerdeck.com/dukebarman/issues-in-node-dot-js-desktop-applications-hypster-mode-on-in-development

If I were to install another firewall which comes with the anti malware app along with the system default firewall, would they have conflict? I'm using mac os.

Hello, I'm looking for the name of a Python library that I used in the past within a Django project. I used it to obfuscate strings w/ or w/o passphrase. Logo is a scimitar

Guess I remembered it wrong https://pythonhosted.org/itsdangerous/

@maiden sinew Reminds me of https://werkzeug.palletsprojects.com/en/0.15.x/

Or, wait, perhaps I was thinking of https://cryptography.io/en/latest/

I was about to ask what was similar between itsdangerous and werkzeug other than Python 😄

Yeah, I mis-typed on that one 😄

That looks like a very nice crypto library. I think itsdangerous is primarily oriented towards people who may not understand all the underlying crypto principles, they just want to do a dangerous thing safely, but I could be misunderstanding

itsdangerous ( at least according to my Github searching ) is done by the Pallets Project, same folks who brought you Flask.

interesting... I'm still learning the landscape with this kind of thing

Well, if you have any questions, don't hesitate to ask 👍

Thanks

@thorn obsidian Do you know how I can see requests made between any client programs from my computer to the server? trap requests and see get or post requests, just as in the browser has this option.

sorry my english i brazilian

There is a program called BurpSuite designed to let you proxy, examine, and replay requests
There are Fiddler and Wireshark to do packet capture and look at things that way
You can use your browser's developer tools to record and copy requests and responses, then you can use Postman to modify and replay them

If you mean more like an application firewall, that will be highly OS-dependent

Yeah, @abstract jackal is right

thanks

thanks the 2

mr robot kkkkkk

guys someone has my exact user name on youtube, I searches my self on google.

He's also from the same country as me

People might think it's me

What are the chances that he's copied my name?

P.S. My name is pretty unusual

I have a coworker with your name

OMG wikipedia axaxax

wikipedia hjahaa

@gilded wren Did you have a question?

which python frameworks or web application do you think are better for a beginner to source code review for vulnerabilities?

I think they're all pretty well matured

Nothing that I can think of that would make me think there's any glaring issues

Django, Falcon, Flask

All seem pretty well setup to me

I would recommend finding a project that interests you, look up CVEs for it, then try to find the commits and discussion around fixing those vulnerabilities. This has been useful for me to learn about vulnerable code patterns

thanks @thorn obsidian

I will try @abstract jackal

!warn 196520532085178368 Censored or not, that is not a word that should be used in the server.

:incoming_envelope: :ok_hand: applied warning to @astral turret.

yep

Have a great night.

sometimes there aren't people with the knowledge to answer your question, so it might get pushed

if that's so, you can wait a bit then ask the question again, or try a channel with higher visibility like a regular help channel

I wont ask anymore, lol I'll do thing by myself, thats all.

all the best

Does anyone have experience with IIS servers with asp.net? I am experiencing odd behavior related to Host header. Despite it being correct, back-end server returns 400 invalid header name

Hi there

hello

i`m hacker

anyone know anything about hash functions such as md5 sha and generated hashes?

@dusk heron sure. what are you looking for?

i have a project im working on for uni

i need to analyze generated hashes using various functions

and my graph always had 100% leading bit set

but i figured it out, its because python ommits leading zeros when i was converting my generated hex hash into binary

i was getting this

haha

when i shouldve been getting this

yup that looks better

are you familiar with the hashlib library?

i am

i also maintain a utility for checksumming video data so i spend a lot of my time testing xxhash and a bunch of other hashing algos in different scenarios we may deploy to

im using this to generate random strings right now

this works fine, i just pass the encoded string to the hashlib function to get the hash

but i also need to generate hashes for all binary numbers up to 2^16

any idea how i could do this

there are definitely better ways to generate better and more "random" random strings from a randomness and cryptographic perspective but that may or may not matter for your needs

i mean its just a uni project so i think its fine

not sure the details of your other question though -- generating hashes for a bunch of numbers is pretty straightforward unless i'm missing on something else you're supposed to bo doing with it

well the hashlib function takes a byte-like object as input

and feeding it string 10 isnt the same as feeding it a binary 10

i dont know how to feed it binary numbers

Is it not bytes([0,255]) ?

Where that list is a collection of ints of any length

Or perhaps even better bytes(random.getrandbits(8) for _ in range(stringlen))

this part isnt random

its just all binary numbers from 0 to 2^16

int.tobytes in that case

(1112).to_bytes(4, byteorder='little')

Will return a littleendian bytestring representation of 1112 of length 4

ok say i have a for loop going to 2^16

so i just do (x).to_bytes(4, byteorder='big')

Yep, you'll need decide on your length padding if that's relevant

https://docs.python.org/3/library/stdtypes.html#typesnumeric

is this right then

I don't read bytestring too well but your method is sound: once you get to an n that cant be represented in 4 bytes you'll get an overflow error.

yeah i got that

i think i should just use lenght 16

since i want to represent the first number as 15 0's and a 1

right?

if im going to 2^16

4 is fine as those are bytes

But for larger ranges it'll catch fire.

what do you mean lol

idk it went through

these are the last couple of numbers generated up to 2^16

That's the representation of the string of ones and zeros is that what you want?

are you sure its string

Or the representation for the string of ones and zeros interpreted as decimals.

val = (int(val)).to_bytes(16, byteorder='little')

should be int ?

or some sort of number

Check the type of val

well im passing it as int(val)

It's a string, you're then interpreting that as a decimal.

yes

Okay if that's what you're looking for.