#cybersecurity

4 vs 100

i mean i dont know what im looking for lol

im looking for a way to pass binary numbers to the hash function

i have no idea if this is right

What do you mean by binary numbers?

you know how i generate random strings for my project now

Yep I see that

the prof told me to also generate hashes for all binary numbers up to 2^16 and analyze hashes for that too

so if i make a for loop and just pass the loop variable which is type string

i dont know if thats the same

im assuming no

Okay then sounds like you just need to pass in the bin(n)[2:]

im not sure the hash function will take bin(n)[2:] as argument but i havent tried it

Bin returns a string

yes but what happens when you encode that string

Hence the idea of the binary numbers being a little weird, either that means some encoding of strings of ones and zeros, or it just means all the numbers.

What interesting behaviour are we expecting?

no clue

no idea why he wants me to do this

bin(n)[2:].encode('ascii')

Seems a good a choice as any in that case

lol yeah im lost

which way is "correct" lol

as in passing the actual bytes representation of a binary number

The objective isn't well defined so it's impossible to say, i don't think you want the bytes method as that's treating the ones and zeros as decimal digits, the truncated bin output would seem to maintain the idea of dealing with 'binary numbers'.

Or rather 'stringified binary representations of numbers'

so the second approach where i first convert to binary then to_bytes yeah?

Nope just the bin(n)[2:]

But since you're hashing them I don't think you're going to see any interesting biases at all.

ok i guess il go with that then

thanks for the help

Is there a way to encrypt a string in a way that allows it to be decrypted afterwards using a key?

Can you define key?

@compact sail Yes there is

Because there exists Asymmetric encryption and Symmetric encryption. Asymmetric is like public key/private key, like SSH or PGP.

Whereas Symmetric is like AES, and can be decrypted using a passphrase.

I'm looking for a reliable way to store a user's password in my software

use a database

yeah

but how do I encrypt the data

don't store it in your program

don't encrypt it

hash it

oh wait hol up

and then when the user enters a password

hash that

and check if they match

no but you see the password has to be stored

https://passlib.readthedocs.io/en/stable/ - Hash the passwords with a master password

if so, the password is correct

because the program is supposed to auto-login into a website

that's kind of the point of the program

for the user to not have to constantly type in their credentials

@hexed quest ... Wait, what?

How can it be done with sockets?

like you can do requests to a webserver

I see, is this some kind of password manager

nope

@hexed quest I don't think you understand

so essentially my school has this really bad learning management system

and I'm writing an app that makes it usable

just a gui that allows you to see your lessons and tasks quickly

it webscrapes info from the bad website and makes it readable, however the website requires a user and a pass

and whatever you do you have to enter it in, and that's annoying

so I made a system that saves the user's username and password

but I need a way to make it secure

@thorn obsidian explain in pm

@hexed quest Please don't PM me

@compact sail What would prevent you from using KeePass/Bitwarden/etc then?

that still doesn't solve the issue of the website having extremely bad design

it'd be ideal if I could kind of "lock" the string

with a key

the string?

i was thinking of something like this as a system... but I don't know if it'll be secure:

user's password --> encrypted with user's password as a key --> encrypted piece of text

encrypted piece of text --> attempted decryption using user's password as a key --> either gibberish or user's password

the password

I don't see why this would be better than a password database that has already been audited.

What website(s) are extremely bad design?

Daymap, my school's learning management system.

(not a security expert) I use gpg in symmetric mode to encrypt some of my files, there seems to be a library called python-gnupg that lets you interface with gpg. That way you can have a single passphrase to decrypt the user data.

gpg in symmetric mode?

You mean, GPG protected with a password?

let me go check that out, seems like what I need for the most part 👍

Yep iirc that's the command line flag

I want to start cryptopals.com training but first I would like to get some advise about the topics that I am going to learn.
The first challenge in the first set is something that I can do in 5 minutes, or may be I could just use some online converters to do it for me

Now what type of approach should I choose to learn crypto:

1: Read theory about Hexadecimal & base64, then learn how to convert them using some libraries made by other people 

or

2: Read theory about Hexadecimal & base64, implement **your own** libraries or code to convert them

or

3: Read theory about Hexadecimal & base64, convert stuff manually on paper then create tools from scratch for automation

Which one do you think I should do to upgrade my python skills as well crypto?

@obtuse harness you should use a project with 1

hexadecimal/base64 can be done in the standard library

they are also not crypto

this exercice is really supposed to be a warm up for cryptopals, don't spend a month on it imo

thanks @versed scroll

@thorn obsidian well I am talking about libraries in general, do I need to read those libraries and see how they do the converting? is it really necessary? or just know what is Hex and how to do encode/decode?

@hoary marten thanks

Look at base64 - https://docs.python.org/3/library/base64.html and https://docs.python.org/3/library/codecs.html , as well as how to encode() and decode()

@thorn obsidian well this is pretty easy and I can finish set1 in few hours, I thought I needed to look inside the libs

thanks

@obtuse harness np

https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/

"oops"

@thorn obsidian I found AMD's RDRAND implementation's source

https://xkcd.com/221/

You sure that isn't Sony's? zing

@marble dawn What type of pen-testing is not red-teaming?

Pentesting is more about finding all the issues you can find

red-teaming is more about a focused effort to figure out the realistic risks an organisation is taking

it's hard to explain in so many words, but this seems like a good explanation https://www.redteamsecure.com/penetration-testing-vs-red-teaming-whats-difference/

Ok, so it's kinda like pen-testing is a wide-reaching security evaluation, while red-teaming is like a stress test.

First you do pen-testing and shore up your defenses, and then you do a red-team test to see if it paid off?

I think it's more that pentesting is all about approaching a company through the eyes of a bad guy

vs red-teaming being more like standardised testing and security policy review

although they more or less address the same issues I think

Are you sure it's not the other way around?

Cause it sounds like you flipped the definitions

Judging by that article at the very least

Red teamers take their time, wanting to avoid detection (just as the cybercriminal would).

One entertaining way to look at it is that the pen testers are pirates — ready to rampage and pillage wherever and whenever they can. In this analogy, red teamers would be more like ninjas, stealthily planning multi-faceted, controlled, focused attacks.

It's kind of hard to define honestly

I think deviant ollam has a video on the difference

So I want to get into ethical hacking.. .
should i get a raspberry pi for hacking...and what are the advantages

just run a VM

run 2 if you need

ethical hacking is a very wide area

what specifically do you want to hack?

Is there any need to set up a passphrase for RSA?

I am trying to set up SSH authentication but I am not sure why the guide says that using RSA without passphrase is insecure

passphrase in rsa context is that whenever you want to use your pvt key, you need to enter a passphrase

secure in this context is that even if your hard disk / usb / whatever, somehow your pvt key is compromised, other people can't use it still, since they don't have your pass

@tepid rover it might be the thing you're SSHing to is a critical server. Normally even if someone got hold of your computer, they couldn't access the server without a login password even if they stole your laptop. But if you have passphrase-less key, then they just copy the key off your computer and can now access the server

@spiral iron https://danielmiessler.com/study/red-blue-purple-teams/
Found this, might be worth a read(?)

Ok, so according to this article, a red team is characterized by trying to simulate an attack by a particular threat actor over an extended period of time. Whereas a pentester tries to attack through any and all attack vectors for shorter periods.

But, they also note that:

There is debate on this point within the community.

@quartz terrace Even if that was the case, I'd hope you were using FDE

I believe red team is more physical, isn't it?

I'm bad at explaning - but I think that isn't part of the red/blue team approach to it, but rather just physical pen testing

Physcial pentesting could be just a guy with a clipboard social engeineering your front desk secretary to giving access to X area that is supposed to be off limit

"Hey, I'm Gregory and I'm here to test the elevator."

hi-viz jacket and a ladder are a better lockpick than any literal lockpick

No staff's going to mistake a guy in a hoodie with a lockpick. But a hi-viz jacket and a ladder... and a lockpick? Oh the dude's just a contractor.

Any good security modules to use?

for what?

what are you trying to do?

When distributing my code

Don't want people to be able to steal.it

then you need to choose another language than python

a surprisingly common question recently

Yeah, oddly enough.

Don't want people to be able to steal.it
No matter what, if the client can run the code, if they are motivated enough, they can take anything from it. Some languages hide it better than others, but if the client runs the code, their machine has full knowledge of at minimum the byte code it compiles down to. Without more info about what you re actually trying to protect, there's no real reccomendations to be had.

if the code runs at some point, it can be read. it's simply about how hard you make it to extract the code. a bit like with video copy protection, if you see the video you can copy it, even if that means resorting to recording your screen with a camera (disclaimer: dont do this piracy is illegal)

https://application.security/

I'm looking for a good key Auth system for my code anyone know any?

@lost crystal Can you describe what you mean by "key auth system"?

my friend recently gave me this audio file to try to decode, i searched far and wide but I don't know what method was used to encode it and how I can decode it, help!

¯_(ツ)_/¯

To sanitize my datas input and avoid sql injection, using psycopg2, is parsing the inputs as parameters sufficient?

https://fletchto99.dev/2019/november/slack-vulnerability/

Nice

Getting address unreachable error, here's the hackerone report https://hackerone.com/reports/679969

@neon jewel They were working on their home lab apparently, should be up now.

@blissful raven use prepared statements

The Labour party has faced a second cyber-attack, a day after experiencing what it called a “sophisticated and large-scale” attempt to disrupt its digital systems.
ddos
sophisticated
please allow me to laugh

https://www.theguardian.com/politics/2019/nov/12/labour-reveals-large-scale-cyber-attack-on-digital-platforms

The DDoS that happened to Spamhaus was sophisticated because of the sheer size of it.

renting a botnet from dnm requires no sophistication

dnm?

darknetmarkets

@thorn obsidian

sorry, ii've just realised it's not a term everyone's used to

🤔

List of Awesome Red Team / Red Teaming Resources
https://github.com/yeyintminthuhtut/Awesome-Red-Teaming/blob/master/README.md

@thorn obsidian There's a lot there.
@violet notch

I've not gone through it all, but yeah.. There is a lot 🙂

https://techcrunch.com/2019/11/12/5g-flaws-locations-spoof-alerts/ Oh no

I want to learn about security

there are many areas in security

like?

?

like lock picking? like when you put multiple doors / laser + alerts in your vault?

Computer security types can be like: malware, phishing, networking, etc @devout sage

Protecting code

Encryption

sup, I'm studying cyber security second year and I am wanting to work on some sort of project in my spare time but i'm not sure what I could do really
any ideas?

wouldn't really be projects or python programming in my experience

school probably gonna teach you some math

practically you wanna understand how asymmetric crypto applied in TLS

and OWASP if you're into web security

Already covered maths and stuff, I just want to get some more work done in my spare time so I could talk about it in my interviews for my internships

if you're into CTF, then some interesting topics that can make use of python:

• crypto/math
• RE - binary exploits (use python to construct payloads)

Yeah I guess so

for web, there is heavily uses of python requests, practical too

Last year I made subnet calculator on python where you input ip and amount of bits it will have an it calculates all available ip's etc

for various network exploits, there's python socket (over TCP)

So i am looking to do another project like that, some kind of tool

🤔

security related?

yeah more security related

something on top of my mind: make an "app" that run various nmap commands, and produce a friendly reports on a target server

don't spam nmap random servers online though you can be sued

Yeah that sounds something I could do

Reckon I could do some sort of tool that checks for vulnerabilities in websites?

they're usually kinda wack

@thorn obsidian, it looks like you tried to attach a file type we don't allow. Feel free to ask in #community-meta if you think this is a mistake.

not very useful / lots of false positive

Ok then

Ah i see

but ZAProxy has some API iirc?

@peak aspen ill send u a pdf that teaches u good stuff about hacking with python

yeah sure

hacking with python
okay

Listen bud

This is python discord

i'm speaking with python in mind

I will check it out for sure and see what is there

Its introductory stuff but cool

keep in mind that practical security usually comes in forms that don't really fit these "toy projects"

Well at least what you need to know to learn it all

No what i sent him literally just teaches u malicious things to do with python

commonly you're either on the developer's side - make your system more reasonably secure,
or tester side - a lot less on programming, but more on using tools to poke a system

Yeah

if you're wanna be a tools developer that helps testers, now that's too specific of a job

This is great stuff, we are only just started working with linux and started scripting with shell and this allows me to get head start using python

Yeah i think theres some linux stuff in there too

@thorn obsidian how old is this?

Idk

I dont even remember where i found jt

Its a book is alls i know

2017 @peak aspen

yeah just found out

might be some what outdated

but I will for sure study it a little and see whats popping

Eh still pretty decent i doubt youd find any trouble

I have never done this but how hard would be to put on web tkinter python app?

@bold grotto

on tester side - a lot less on programming, but more on using tools to poke a system

as someone "on the tester side", 90% of the tools I use I wrote myself

with some exceptions being the obvious like burp, binwalk, etc

and yes, most of them (the tools i've written) are in python

two in golang

sure

you'd be amazed how many badly written apps/ badly configured servers out there that get serviced to pentesters
in such case i don't need to spend most of my time developing tools, instead i'll start using existing tools first

just because your specific job is more demanding in developing your own tools doesnt mean typical pentesters do what you do
the more common programming would be developing exploits / PoC, specific to particular apps serviced for the pentesting project

my specific job is pentesting

I've just found most tools I've used have been lackluster or just entirely nonexistent

as for pocs, each finding we list in the report is accompanied by a poc

"no poc no proof"

usually, the poc is just a step-by-step of what you need to to do to reproduce the issue

however, a lot of findings have attack chains that are either too complex or too long to write out step-by-step, so a poc script or such is provided instead

and you're saying your pentesting role in your team applies to majority of pentesters?

that was not my point what you do, how could i possibly know? i didnt need to know either, i'm sure smart people like you, who test complicated systems exist, that no open source tool can even provide what they need.
doesn't mean thats the only security / pentesting job you should aim to get

So what is your pentesting role then @bold grotto ? Since you know so much about this topic.. 🤔

my previous role wasn't like an on going pentest / part of devops / QA for a specific project / team, which i think xx tasks would apply more
since you grow familiar with the team development habit and can identify which tools to make for reusability

@bold grotto if your job is defined by the tools you use, what's the point of the job? anyone can run a tool

and what I said applies to pretty much everyone in my company

we got a lot of widely different apps from different clients

so we'd start right away poking around their services they expose publicly, intentionally or not

at the same time, the main app in scope required for testing will also get tested (different testers on the same project)

tasks carried depend on whether the app is commercial use, or internal use

also,

my previous role wasn't like an on going pentest / part of devops / QA for a specific project / team, which i think xx tasks would apply more

I work on 3-4 different projects (from different clients) a week

you tests 3 different projects a week, and you need to map out the whole functionality of the app while finding vulns,
and your main tasks are developing tools?

okay

when did I say my main task was developing tools?

why bring that up then

the tools I mostly use I've already written before, sure I change functionality when and where I see fit but it's barely "active development"

if you read my initial comment, i said it has a lot less focus on programming

if you're not capable of developing tools to cater to your needs as a pentester, you're a shit pentester

is why i'm bringing it up

i said not capable?

less focus mean the time spent

not where your skills are distributed

okay, sure, I get that, but it's a skill which is still imho quite necessary

feel free to call me shit pentesters though, i would make the same comment regardless since op was asking about how to get into security

also this isnt an argument anymore since i don't disagree with your point

i should clarify that I didn't mean you you specifically when I said "you're a shit pentester"

it was, like, a general statement

at my team we started not too long ago, many of my development time in the team involves with workflows improvement, issues tracking, exploit repository, etc. instead of like a better nmap or automated scan, or something along those lines

someone else do some of that (not a lot)

but then the whole team benefits from their works

if code needs to be secure, it must not run on the client machine. everything else is just obfuscation and can be reversed by someone dedicated enough.

may I ask what kind of application that is? Such requirements sound weird to me.

I'd make it into a Django/Flask app

Then it can be done via a website, and you don't need to give anyone any code other than an account.

do you ship this exe to multiple users, and don't want their computer's malwares to RE the exe

Heyy guys somebody knows about php security’s?

what are you looking to ask?

but this is python server tho

@amber hemlock Yep

Good luck, as that's not gonna happen.

Developer tools in Chome/Firefox are trivial to use to monitor network traffic

@amber hemlock maybe experiment with an obfuscator https://pypi.org/project/pyarmor/

for traffic you may want to construct your own way of e2ee, so the data leaving your application is encrypted even before entering into the network

keep in mind that even with e2ee, data from server back to your application is much less secret
also its still subject to a debugger attached to your exe, if someone is dedicated enough

also do you use pyinstaller or something? would compile into static C code with cython, and then C compile that be feasible in your case?

@bold grotto Except, you don't want to roll your own encryption because you're bound to get it wrong.

wdym wrong

also i forgot to mention cert-pinning as well (esp for native client and mobile app), in case rogue CA or user add bad cert

@bold grotto I mean.. are you skilled with cryptography?

That's why you don't roll your own.

you re not replacing tls, its for the content

in some occasional scenarios you dont trust the traffic after load balancer or something like that

construct your own way of e2ee sure sounds like you're telling them to roll their own crypto :p

i'm not suggesting abolishing TLS/HTTPS, just adding encryption of the contents, so any point that did not go through TLS get an additional protection
i mean when you're even worried about the user's computer having malwares that dump your memory stack ...

any obfuscation could further help

but i wanna say it'd be less of priority than getting the basics right, like TLS version, force HTTPS, or cert pinning

i mean when you're even worried about the user's computer having malwares that dump your memory stack ...

I mean, in that case, it's game over already

in some occasional scenarios you dont trust the traffic after load balancer or something like that

Im very sorry but if you have "in some occasional scenarios" and "or something like that" in a sentence doubting security of load balancers (which is yes indeed perfectly correct assuming the load balancer does perform TLS termination because then the info is decrypted at the load balancer and it could manipulate it without your knowledge, so its not a "in some occasional situations" but rather with some load balancer implementations) you should probably learn about how exactly TLS/HTTPS can be attacked before
a) doubting its security
b) suggesting an enhancement
and then learn much more about cryptography before you
c) ship your own addition to it

this is not meant as an insult but just what i think

Nix is right, also it's weird when you're saying

i'm not suggesting abolishing TLS/HTTPS, just adding encryption of the contents, so any point that did not go through TLS get an additional protection
when no one brought up HTTPS.

You should be using HSTS to force HTTPS - there should be no option that it can be stripped/removed in a downgrade attack.

you’re right though @orchid notch , ive never actually developed such exploit, or perform it in a practice simulation close enough to a real attack. this is what i think from testing an implementation aiming to mitigate those attacks, and some readings

i suggested those cause i have a vague idea that tls is an absolute protection, especially in some traffic that does not go through encryption.
also i might not be capable to, but op’s team might, and it would help as extra obfuscation over the contents
its also that others can give better insights into them instead of saying things like “seems like odd requirements to me”

can we do some PGP encryptions with python ?

Yes

I tried doing shutdown -i on my mac but it doesn't open the Remote shutdown dialog, does anyone know why or how to do this?

I also tried sudo shutdown -i but it only returned `
usage: shutdown [-] [-h [-u] [-n] | -r [-n] | -s | -k] time [warning-message ...]

`

so I need a some help

@thorn obsidian That's not really security related, though. #ot0-fear-of-python

the description for the channel is hacking and other things

I think it's related

shutdown 10.1.139.29 -h now when I entered this it returned:
shutdown: -h, -r, -s, or -k is required usage: shutdown [-] [-h [-u] [-n] | -r [-n] | -s | -k] time [warning-message ...]

but I already put -h

I'm really confused

How is this related to hacking - security?

cause I'm trying to shutdown another computer remotely from mine

anyways

shutdown -h now 239.255.255.250 I tried doing this

and it shutdown my computer

this isn't even my ip address

what am I doing wrong?

.......you cant shutdown another computer with shutdown(8)

shutdown(8) is meant to give all logged in users on a Unix machine a notice that the machine is going down at timestamp x and then shut it down at that time stamp

some distros will interprert shutdown a little different and just move to some other runlevel like for example openbsd is gonna go from runlevel 2 to 0 which can be useful in some situations

but youre just using shutdown completely wrong and clearly not understanding what youre doing

@thorn obsidian

https://www.youtube.com/watch?v=bmbeEYgiFgw

I just used this video

why is it wrong? If so, how do I shut down another computer remotely?

jesus christ

get away from that moron hes trolling lol

and next time you watch a yt video actually learn what the command does before executing it

lol

lol?

how is the upvote ratio so high?

i have no idea

people dont understand

they probably upvote before trying

I am deeply depressed now

do man shutdown and you'll see there is no option for a host

I was like how tf is that related to hacking

I'm not a moron

I know I have to ssh into the computer first

but need help doing that

no im saying the guy who made the video is a moron

oh srry my bad

but yeah I'm getting problems with the ssh

2025-HILLMAN:~ 38167$ SSH 46349@10.1.132.115
Password:
46349@10.1.132.115's password: 
Connection closed by 10.1.132.115 port 22

here is what happened

huh? the guy who made the video is trolling? he's not a moron

so why is my command not working

do you know the password for the user

it keeps saying the connection is closed

and yes

I put the password of the user

I own the two computers

type -v in your ssh command

and paste the output

SSH 46349@10.1.132.115 -v

like that?

uh, yes, might have to be before the other part, I dunno

also why are you using SSH and not ssh? is SSH a custom alias or script you have?

OpenSSH_7.6p1, LibreSSL 2.6.2
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to 10.1.132.115 port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /Users/38167/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/38167/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/38167/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/38167/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/38167/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/38167/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/38167/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/38167/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.8
debug1: match: OpenSSH_7.8 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 10.1.132.115:22 as '46349'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> ```

debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:A3LwG5/s+pc5qY9B8+eHcOZNvVSbh3jg+hOytqEButM
debug1: Host '10.1.132.115' is known and matches the ECDSA host key.
debug1: Found key in /Users/38167/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey```

debug1: Next authentication method: publickey
debug1: Trying private key: /Users/38167/.ssh/id_rsa
debug1: Trying private key: /Users/38167/.ssh/id_dsa
debug1: Trying private key: /Users/38167/.ssh/id_ecdsa
debug1: Trying private key: /Users/38167/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Password:

@velvet field

SSH 46349@10.1.132.115 -v
``` this is what I typed

and after you type the password?

oh wait

mine or the other computer?

yours

Password:
debug1: Authentications that can continue: publickey,password,keyboard-interactive

I also tried putting the other computer's password and got Password: Connection closed by 10.1.132.115 port 22

oh, I didn't realize what you were asking, the password you are entering is for the user on the remote host.

oh ok

so anyways I put it in and got that

what do I do?

I think you might just be typing the password wrong

if you have access to the remote host, you can check the ssh logs to see why it's failing

how?

it depends on what linux you are on, for ubuntu and some others/var/log/auth.log will contain SSH password failures

on mac

doesn't work

sudo grep 'Failed to authenticate' /var/log/secure.log on SSH server

security find-generic-password -wa labnol I'm trying to get the wiki password but it said could not be found

am I missing something in the command

this isn't related to security

move to #unix

ok this is related to the channel, is there any way of shutting down all the users connected to a wifi network?

Unplug it

shut down? as in power off?

and how is this exactly security related?

¯_(ツ)_/¯

whenever I try to ssh into another computer it keeps saying the connection was lost

does anyone know why?

Connection closed by [SERVER_IP]

please help me

Like I've said before, this is not security related, please move your discussion to #unix

it's about hacking tho?

you're debugging an issue with ssh

i fail to see how this is about hacking

@thorn obsidian Are you trying to get access to other computers you should not have access to?

nope, I'm just trying with both my computers

that I own

Well, then it doesn't really fall under hacking, but rather, like @thorn obsidian said, it would be a topic for #unix or maybe even just off-topic, since it's probably not Python-related, but just ssh related.

I'm not on unix

Well, it's clearly not related to this channel; we have a #491524019825278977 channel if you're on Windows, but if it's not Python-related, an off-topic channel would probably be better

I'm on mac

mac is a unix based operation system. so ask in #unix

Well, that's unix-like enough for the #unix channel, if it's Python related

out of curiosity of opinion, if i were to hash a master username and password and encrypt accounts in AES-256 for a password manager, who would believe that to be sufficient security?

hashing with blake2b and a salt* i must add. scrypt was not a preferred method for me as the byte response would potentially be too much for a small sqlite storage option.

that depends how you use AES to encrypt the passwords

if you actually want it to be secure and you cant answer yourself the question wether your design is secure you should probably rather use something exisitng

if its okay to be insecure build your own

any vim ninja?

any vim ninja?
so in my one file, txt is like this
127.0.0.1localhost

i want to remove only 127.0.0.1
there are 400 lines

sed 's/127\.0\.0\.1//g' file

@glad cobalt

if that looks good to you, add the -i flag to edit the file in place

but this isn't related to security... please, in the future, ask questions like this in #unix :)

@orchid notch I do believe it to be secure, I was just curious of other's opinions. Currently I just use system user with the master password (asking for it with a prompt) instead of its hexdigest. That, at least in my eyes prevents an attacker from gaining access to any of the accounts without knowing the actual master password and passing that victim's system user name as well or just using brute force

That as I already said depends on how you used AES

There are ways to use AES that would make it trivial to attack even with a 32 character password

do you have an example of a different way to use it then? i just create a new AES object with the previously mentioned items as the key ensuring the key is 32 bytes, and then use that to encrypt and decrypt.

There are many ways to encrypt using a key and the AES algorithm

AES is a cryptographic primitive meant to be used in a certain block cipher operation mode

Plain AES aka AES in ECB mode is easy to crack

While things like AES CBC or if you want an authenticated cipher even AES GCM are way harder

@safe lark You'd use KeePass or the like, rather than rolling your own.

i use the suggested EAX mode. i was aware of the operation modes yes, and certainly wasn't going to use the other modes

and philip i already use something else. it was a project i felt like doing and i did it

i am fully aware how pointless it would be to use mine. it was simply something that occupied me for a day

hence why when i came here i asked out of curiosity for other's opinions on the methods i was using, rather than asking if i should

i must say though, please just discuss with people if their method would be secure and if not how to go about making it better. I'm sure KeePass and the like wasn't made when someone told the developers just to use LastPass or the like

You'd be correct, since KeePass ( according to https://keepass.info at least ) has been around since 2003.

?

I'm sure KeePass and the like wasn't made when someone told the developers just to use LastPass or the like

yeah, my point was don't just tell somebody "don't try, you won't do any better. use what's there" i wasn't actually referring to release dates

Also, this is #cybersecurity - and it'd be more secure to not roll your own encryption/ciphers/hashes/etc, and instead go with a system that's been audited. Have you thought of timing attacks to your implementations? Do you have a Phd in math/cryptography? This isn't meant to bring you down or be seen as a personal attack. If it's for learning, by all means, but otherwise I'd suggest using KeePass/Bitwarden instead.

i'd argue that this entire server is based on learning or helping others further themselves. seriously coming at me and saying "if you don't have a PhD don't waste our time lol" is rude and degrading even though i don't care what you think

I think you've misconstrued what I've said.

As long as he is calling into library provided methods like he said he does it's not his fault if he has timing attack vulnerabilities, at least read what he says before criticizing him

thank you Nix, truly

@orchid notch I have read what he's said.

and yes, i use pycryptodome. since the original pycrypto was abandoned (at least to my knowledge) and pycryptodome was a fork that carried it along

Does pycryptodome call into C code?

Yes it does

according to them directly

PyCryptodome is not a wrapper to a separate C library like OpenSSL. To the largest possible extent, algorithms are implemented in pure Python. Only the pieces that are extremely critical to performance (e.g. block ciphers) are implemented as C extensions.

could you help me understand how essential that is to the security of it as a whole?

@orchid notch Everything from the beginning of the conversation of using sqlite, to your response of if you actually want it to be secure and you cant answer yourself the question wether your design is secure you should probably rather use something exisitng. The condescending at least read what he says before criticizing him isn't appreciated.

But, this is where I leave the conversation regardless. Good luck @safe lark

👋

thanks

@thorn obsidian I mean the first statement is basically a mirror of your: use something existing but provided with an actual reason when he should do that and why

is there a way for people to know whether im using recaptcha v2 or v3 on my website?

is there any clue that gives it out?

How to track location using mobile number?

that sounds illegal

!rule 5

Ok

Some1 tracking me that's y i asked

Then you need to contact law enforcement, not us

It may be legal if you track your own phone, but it’s a bit silly

On second though it’s not about who, but about how

Many ways to if they visit places they shouldn't or give it to people they can't trust

I think this is the place to go.
I am trying to import an SSL self signed cert with Python 3.8 to the cert store in order to connect to and pass requests to my device.

I have spent a lot of time and sorted out many issues, just stuck getting cert_human working

If anyone knows how to import, add and verify a cert with python, that would be very helpful

I had a heck of a time getting to the point I am, so any help would be appreciated.

This is for a non profit in Uganda ^_^

@thorn obsidian You'll need to present some code, as we have no idea what cert_human is

I think I made a mistake @thorn obsidian. I'm going to try again and then post something.

Let's try a help channel?

Sure

!free

Ouch..

Well, in a bit, then.

Not urgent. Neet to eat etc

Sure, no problem 👍

Thank you very much. First python day was fun

Looks like they wanna go unsecured, so no more issues with that in python. Moving on to the payload and log in bits. I'll be back if still struggling, (read as, "I'll be back.").

...
usrnm = input()
passwd = getpass()
usrnm_hash = sha512(usrnm)
passwd_hash = sha512(passwd)
hs = usrnm_hash + passwd_hash
f = Fernet(base64.urlsafe_b64encode(hashlib.blake2s(hs.encode()).digest()))
...

Is this good encryption key to encrypt personal files ?

so you're getting the sha512 of your username and your password, concatenating the hashes, hashing those with BLAKE, encoding as base64, and finally using that as a Fernet key...?

dunno dude, seems like a lot of steps to achieve.. not a lot

and the definition of "good encryption" depends entirely on your threat model

@thorn obsidian If you're encrypting personal files, VeraCrypt or LUKS are the go-tos.

These patterns are used to secure banknotes ~ money
I have also seen them in exam booklets

@thorn obsidian How is this related to the channel?

@thorn obsidian @thorn obsidian thank you guys

https://youtu.be/VGDxCCrpkiM

Last time i've read an article about this wall, they were saying they didn't use it really for production purposes

Ah seems it's really used https://www.cloudflare.com/learning/ssl/lava-lamp-encryption/

hi

i'm new in this chat so...

if I want to share programs

what can i do?

@thorn obsidian what kind of programs

like open source projects?

then go to #303934982764625920

note that it has to be mostly Python

and open source

thank you

anybody knows about MyLockbox software?

in a client/server system, where encryption is done by a key exchange handshake, which party should be expected to initiate the handshake? the client or the server?

the client

depends on the implementation, but 90% of the times it's a Client Hello first

Can I get some help creating rainbow tables?

Im following this guide http://kestas.kuliukas.com/RainbowTables/

Problem is I keep having false positives on identifying wether a hash in a given chain

As you could use those go be a very very bad person and crack other people's passwords

I don't think you're gonna be help

@orchid notch You can do evil things with a lot of things, but you can only prevent them if you know how they work

As a Sysadmin, I regularly attack our network maliciously

Yeah and it's cool that you do that

However the server rules state that we shall not help with such behaviour because we can never know the intentions behind the person asking the question

....nice, posted a question here and instantly forgot about it lol
late, but thanks nix and xx \\🐱/

is there a way of shutting down computers around me without sshing?

No.

!rule 5

No, I want to test with my own computers

sorry if that wasn't clear

that does not matter

as i explained just 2 messages before yours

Aside from obfuscation, since Python is generally interpreted, is there other ways secure your source code? Like non-"security through obscurity" ways? Or is it just "if you're that worried pick a different language" situation.

just dont ship your source code to the computer

well

the users computer

How would I protect my .exe file running on compiled .py code from being cracked and reverse-engineered?

You wouldn't

U can't hah

It's a bad practice to carry a master password as private method initialized in a class?

I don't understand the question at all, and yet I'm pretty sure the answer is "yes"

My situation is this

The user gives me a master psw

with that he unlocks all his passwords and can save new ones

But I don't want him to write it for every action

So I thought that after he writes it one time, and it's checked, I should temporarily store it in a variable of the class

my guess is: if you're writing code that accepts a password from a user, you're already doing it wrong

security/crypto stuff is notoriously hard to get right; the wise engineer uses ready-made stuff as much as possible

can I show you what I did?

sure

https://github.com/kuttz-dev/Password-manager

Many things are in spanish

but let me explain it to you

ah! well a password manager is the rare case where it does make sense to ask for a password from the user 🙂

I assume you're doing this mostly for fun

To learn as much as I can, and to use it so I don't have mines in a txt

for heaven's sake, use a real password manager, not one you wrote yourself

I don't expect it to be really secure, but to be better than a txt

if you use a Mac, you have one already, called "Keychain access"

I don't use Mac

ok, if your expectations are low, then I guess you're fine

yes they are low, I wan't it more like to organize passwords for me base on categories and pages

I do not intend to read your code carefully; that'd take too much effort. But if you can post maybe 10 lines of code that demonstrates your question, I'll look at it

yes I was going to do that

To save a password, I ask for a master password, wich I use for creating a key

it's odd, but I can't think of a good open source password manager

using this:

It the same if it is not open source, people who whant to hack it can open files and see what they like

def generar_key(contraseña):
    contraseña = contraseña.encode()  # Convert to type bytes

    salt = b"\xb8M\xce\x94\xbd\xfa\x0f\x1e\x04\r\x83\xea\xa1\xbbD'"  # CHANGE THIS - recommend using a key from os.urandom(16), must be of type bytes
    kdf = PBKDF2HMAC(
        algorithm=hashes.SHA256(),
        length=32,
        salt=salt,
        iterations=100000,
        backend=default_backend()
    )

    key = base64.urlsafe_b64encode(kdf.derive(contraseña))  # Can only use kdf once
    return key```

Then with that key, I encrypt a little message and save it to a db

well ...

what's your question?

how can I do to not ask the user to enter the master password every time he want's to do something in the same session

ah

sure, save it in memory somewhere

there are reasons that's insecure, but I doubt you care about that

an attribute on an instance is as good as any place, I guess

but if I store it as a variable of the class, then anyone creates a new file, imports it and then he can send an email with it

I want to do it as much secure as my knowledge admits

I didn't understand your first sentence there

I mean, that if in __init__ I have self.master = "" and later I assing the real master, anyone could get it doing that

?

certainly you're not going to enter the master password into your source code

I wasn't suggesting that

no no no me neither

I mean, I create a blank variable in initialize, and later when the user enters the master password, I store the value in that variable if it is correct, and it will get ereased when the program stops

http://ix.io/23kR

yes, of course it will get erased when the program stops

if you want to preserve the password after the program stops, then you're screwed.

There's no way to do that that's any more secure than storing the list of other passwords

I don't wan't to store it after the program is stopped

well yes

then I don't understand your problem

I mean, that the problem if doing self.master_password = master_password is that anyone could create a new file, import MyClass, and do print(MyClass.master_password)

it sounds like you're not in control of the computer you're using

what kind of computer is this, that has random strangers on it, able to access your running program's memory?

I strongly suspect you're worried about something that isn't a real problem

Butttttttttt 😦

I also suspect you cannot demonstrate the problem you're actually worried about

write 10 lines that demonstrates the problem. Then we'll talk.

gonna do it

FUCK

you are right because

heh

in that new file i will do another instance of that class

https://en.wikipedia.org/wiki/Rubber_duck_debugging

well it's still insecure if you execute it from that new file

or if you modify the main

but

that would be

a) I don't understand what you mean; b) I don't believe you anyway 🙂

in any case

b sounds like a good argument

I won't discourage you from exploring security programming; but I will suggest you be very humble

also: https://imgs.xkcd.com/comics/security.png

i know I don't expect of this to be secure as lastPass or any real program like that, but I want to do the best I can, that inclues to fix any possible problem

sure

but you won't be able to fix every problem you think of.

you'll think of 10 problems. Five won't be worth worrying about. Three you'll fix. The other two you won't know how to fix.

Then there will be 20 problems you didn't even think of.

I know, but I won't stop till those two are fixed or that's what I want to think

take a look at https://docs.python-guide.org/scenarios/crypto/ ... it recommends a couple of libraries that will do most of the heavy lifting for you

thank you very much

I personally would avoid the GPG library, since GPG terrifies me

sorry if this isnt the place, but

[6:50 PM] offby1: it's odd, but I can't think of a good open source password manager
by this do you mean "good" as in "secure"? or just in terms of a nice interface?

both

terrible interface == insecure, as far as I'm concerned

since I'll probably use it wrong

the Keychain thing built into Macs isn't a really good interface, but it's good enough

hm i guess thats pretty fair lol

when i was choosing i couldnt find anything bad about kpxc (what i went with) other than being a bit clunk

in practice I use LastPass, which I kind of hate, but it does work, and I'm in too deep to switch 😐

never heard of KPXC, but I'd tried keypass ages ago and found it too clunky to use

huh, I can install it via homebrew, which is very encouraging

i like it a lot, especially that you can set a global keybind, which then reads the title of the active window and opens a popup to pick a password to autotype

slightly creepy but probably handy 🙂

with a browser plugin it can also read current web address but thats the line for me personally lol

if you're serious, you have to study the source code to kpxc and the browser plugin

and hell, the browser itself 😦

oh theres no way im ever touching that plugin

didnt get anywhere trying to read kpxc but as far as i can tell from behavior, its only smart enough for window titles; if you press the bind on a terminal window with a title like a website, it offers those passwords

that UI really looks like amateur hour 😐

I admit I'm a bigot, and that I judge apps by their UI polish.

but if they can't afford to make a good initial impression, I fear they also can't afford to get the code right

pay no attention to the default icons with white feathering around the edges in dark mode

couldn't help but 😐

@olive lark do you want to see my UI?

but if you don't like keepassxc ui I dont think you will like mine

no thanks; I probably won't like it, but won't be able to offer any helpful suggestions, either

I just complain a lot

@olive lark keepassxc is widely acknowledged as the best password manager, i'm sorry the UI has turned you off but as time goes on, you'll come to realise that the better a programmer is, the worse their graphics sense is, and we're big endorsers of "simplicity is key"

LastPass I would stay far away from, personally

I do think programmers have a tendency to overcomplicate GUIs so depending on your interpretation, "simplicity is key" doesn't apply.

Or maybe it's just a lack of thought that naturally makes it look complicated with clutter

I dunno

cluttered, yeah, maybe

It's definitely not over-engineered

I could say that much

any rainbow table experts out there

im trying to find a good reduction function for my tables

Hello!

Hey there

wat

hello

https://thehackernews.com/2019/12/linux-vpn-hacking.html

if you want to get the passwords for all stored wifi's, then use this

from subprocess import check_output
from re import split

output1 = [split(r' +: +', i.strip())[1] for i in check_output("netsh wlan show profiles", shell=False).decode("utf-8").split("\n") if ": " in i]

print("Wifi Passwords:", end="\n\n")
for wifiNames in output1:
    output2 = [split(r' +: +', i.strip())[1] for i in check_output("netsh wlan show profiles \"" + wifiNames + "\" key=clear", shell=False).decode("utf-8").split("\n") if (": " in i and split(r' +: +', i.strip())[0] in ("Key Index", "Security key", "Key Content"))]
    print(f"{wifiNames:<40}:", end="")
    if(output2[0] == "Present"):
        print(f"{output2[1]}")
    else:
        print()

__import__("os").system("pause")

For windows

uhm...

Aloha

vamos

out of interest, would you be able to plug in a camera and a mic to a raspberry pi and from there be able to use it in a python module, or is there any config first beforehand?

I don't think this is related to #cybersecurity

well i want a secure server with a facial recognition and voice recognition

think its more #algos-and-data-structs or #microcontrollers maybe

ah yes i suppose

thanks 🙂

np 😄

does anyone know how android encrypts disks and sdcards and how i would decrypt it if my device breaks?

not me

@tepid rover https://source.android.com/security/encryption/

Note: Full-disk encryption is not allowed on new devices running Android 10 and higher. For new devices, use file-based encryption.

Hmm not sure if technical enough to help much

Oh one of links describes it more

i just sucsesfully printed hello world and now i want to hack nasa

This is a little off topic but could I potentially infect my machine by webscraping with free proxies from the internet? I’m only using requests and no browser, but I haven’t been able to find an answer regarding my specific usecase. Thanks

As long as whatever you're using the scrape the websites is not evaluating JavaScript + as long as whatever tool you are using to evaluate your results is not vulnerable to some parsing flaws (both highly unlikely) you're gonna be good

https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/

Does anyone know of any good sources to help protect the scripts source code etc from 'sneaky eyes' / thiefs.. E.G I plan to compile all my script into a .EXE file e.g py2exe but was hoping to protect it as best as possible from reverse engineers?

I don't know any good way to do that

so much so that I wouldn't even try, tbh

@median heath You wouldn't

Why so?

You'd put in considerably more effort than is worth it, and it's trivial to decompile.

@median heath use Nuitka, compiles Python code into C's executable, which is much harder to crack

Also, anyone knows a good way to create a whitelist/authentication system for the program running on Python?

I am using Postgresql database on the server to store all user credentials

but I am not sure where to start and how to exactly organize the communication between the database on my server with all the credentials, and the user running the program.

@plucky geode I'll take a look in a second.. 🙂

How many end-users are you going to have?

Well, for now, less than 50

In the future, maybe a bit over 500

I'm using an external company which uses a licensing system upon opening to validate if the users license is valid and then it can be limited to one PC/multiple etc.

It's only a few lines on code

of*

Something like Pyarmor?

Oh, I've never heard of them

Take a peek, very user friendly. There is some cost, dependant on user-amount. I think it's reasonable

Yeah, looks sleek, but I was thinking about building the system myself, so that I could customize the code if needed

Same!, I've been looking also, would much rather manage myself. But for now it'll do

Plus don't really want to get into monthly subscription thingy

I didn't have much luck when trying to find something that;ll work for me and that I could manage of my own DB etc

But i'm a rookie, so eh

Hmm, I was thinking about creating separate users for the database. Basically, 1 user = 1 license.

Therefore, people will connect to the database automatically via their DB username, and program will authenticate them.

It works with the Postgresql, but I don't think such thing exists for the SQLite or MySQL?

In theory, sounds easy, I guess the security aspect is the issue

Yeah, maybe someone with more experience will share his thoughts

@plucky geode I hope you're not letting users operate on the db directly... that's a recipe for disaster

I recommend setting up an API. Users are handed API keys which can be used to start sessions

I'd make it so you can't have more than one session active per API key

Then, the session identifier/whatever can be used to talk to the API, which operates on the database

This way you can easily restrict who has access to what parts of the database without having to mess around with DB users

@thorn obsidian Thanks for the help, I think that Postgres has native users features, and I can restrict access to what parts of DB users have, as well as what they can only read or write to. Natually, users won't know the credentials to access the DB on their own. I will make program communicate with DB instead of actual users.

API and Sessions sounds like a good idea, and I might implement it in the future, but I need a rough and fast way for now XP

if you plan to use postgres users for permissions then this is also an interesting topic: https://www.postgresql.org/docs/12/ddl-rowsecurity.html

I've been working on an encryption/cipher technology for a while now and I've just merged a PR to implement AES encryption. Could somebody take a look maybe and let me know if they see any glaring issues in it? It's not a lot of code and just 1 file. https://github.com/M4cs/Pixcryption

the first issue is: you're rolling your own encryption. If you're just doing it for fun and learning, great; but please don't use this on anyone else's data

@olive lark why is rolling his own encryption a problem? i'm just curious.

typically people who know a lot about crypto warn newbies to be careful, because it's much harder than it looks

https://security.stackexchange.com/questions/18197/why-shouldnt-we-roll-our-own <-- second google hit, e.g.

I'm not rolling my own encryption. It's using AES for encryption. I'm rolling my own cipher layer on top of AES

shrug

@olive lark has a point. I've been around encryption/ciphers for 15~ years and know AES a little bit, and I'd still recommend not rolling your own.

@chilly elk there is using AES and there is using AES properly

just because you use AES does not make your system secure

in fact you can create a false sense of security for your users if you say "we're using military grade encryption" just because youre doing AES

AES has to be used with a proper implementation thats invulnerable to side channel and timing attacks

in a proper mode

with proper parameters

and exactly at that point it becomes secure

Ok I'm under 18 rn

so I want to do cyber security

I'm confused with CEH and OSCP

Which should I do

Is CEH good for getting jobs

And others like CompTIA are required or no?

OSCP holds far more value than CEH

ik that but is CEH good enough to get a decent job in Cyber Security?

meh, it's less about your certifications and more your portfolio

like things you've done, projects etc

I'm employed in infosec atm and I have 0 certs :) (apart from CCNA, but it's not really related to my field)

friend of mine got a low level job at a security company. started by just doing secure erase or following scripts to compile diagnostics for smarter people.

worked his way up the chain

yea that's the way to do it

if you prove you know what you're doing, you'll have no issues with that

company paid for quals etc too

he was always a big sec conference watcher too

yeah, same here

company's paying for me to get my certs

which is.. really cool, I guess

yeah

con watching is probably how i got into reading security stuff in the first place

Hi guys, just a completely out of the blue question here, not relating anything to do with python (maybe some to do with security, not sure where to ask this). Has anyone purchased an e-gift card before? And if you have, do you know if it contains like a Card Number or a Card PIN?

if you mean a store specific card like a steam card, it will have a code on the back which you enter in usually

https://eng.getwisdom.io/hacking-github-with-unicode-dotless-i/
As it turns out, .lower(), .upper() or .casefold() on unicode in regards to e-mails is bad. 😄

o.O

ouch about sending to the provided email, because it clashes, that's very easy to overlook when coding

Hi, question. Does anyone here have any experience in digital forensics? If so I could really use some help

I'm trying to mount a .img file that is supposed to be a forensic copy of a hard drive. But neither Kali nor Windows will let me mount it. Says it is corrupt

You don't mount direct images of disks, you use forensics tools to look through them

can use some tools like volatility

hello

hello

hello

hello

what am i missing out on

well we're about to have mac and cheese, and I'm sorry to say we didn't invite you over

guys want inputs as in material, things to learn.... on cyber security threat analysis-- like where to start.....or any suggestions
was looking into materials from https://medium.com/cyberdefenders/python-for-cybersecurity-lesson-4-network-traffic-analysis-with-python-6321f4c9d3f7
but this does not share any insights on threat analysis.....
do share your inputs
🙂

My one suggestion is be carful with things you download: noobs in this realm are often targeted for trojans, etc. Good luck o7

hey, how best to start writing a security system in Python?

"security system"?

my question exactly

@thorn obsidian What's a "security system"?

laser grid with no safety switch

it goes full Resident Evil cube dicer on you.

@thorn obsidian it has resolved itself

Why my recommendation in IG is too relevant for me...but I didn’t even search anything related to it
Does google collect all cookies and distribute it to other companies?

yes

or ads on instagram are powered by google ads

beacuse it's literally what i searched few minutes before

instagram is owned by facebook

does facebook purchase google data? who knows.

but they have enough of their own ad data gathering techniques

facebook are insanely good at targeting ads

doesn't matter if you have a facebook account or not.

any site with a "share to facebook" button is probably supplying data to facebook about your browsing habits

i mean they know your IP, your browser, your browser version, likely operating system, etc, etc

it's enough data to build a semi-unique fingerprint

so i got a voicemail transcript this morning of what sounded like two kids using a kind of dialer and putting in numbers

i have the whole thing recorded

they put in like 35 different numbers in a specific sequence

i have google call screening so if i had been awake they wouild have been sent to the bot

now i have the whole transcript and the entire convo recorded

what do i do with it

i feel like they were trying some shenanigans to get past my 2fa that i have on my gmail

i doubt they did it

people can control your bot by placing a phone call?

no i think they were trying to bypass 2fa

well I wouldn't worry about that

https://voca.ro/19KHy56Mcqi

if you wanna hear it

google should know what they're doing as far as security goes

theres one idiot using the phone and the other sounds like hes in a vc telling him what to do

shrug

like i legit have no idea what they were trying to do

and it looks like they used a real phone to do it?? cause im able to call and text it

and it shows up as being a real number

so theyre getting call bombed rn

so he responded to my text

i spent like an hour trying to get him to tell me what he was doing

i called his local police and like a minute later the kid actually called ME and i TALKED to him. he just said the same bullshit he was saying in the sms

Hi

I'm looking for a cyber project

and I really need ideas

whats a cyber project

Implement TOTP from scratch?

What's TOTP @daring sedge ?

https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm

Oh

Well that sounds cool

thanks 🙂

also does anybody know a library that messes with linux's login?

i mean

you have the login command line program, thats all you need

nuu

how do I access the linux api from python?

there is no such thing as "the linux api"

if you wanna login as a user just use the login command line tool imo

@icy saffron Are you talking about hooking into Linux authentication via PAM?

yeaa

@thorn obsidian

no.

You can just ask your question. The server has over 30k people. If someone reads your question and knows a thing, they might respond.

😩 😩

any of u ever used JonDo proxy?? How is it any comments?

does it like change server/ip after some interval of time ??

it looks like a mostly abandoned alternative to tor that has 15 downloads a week and is written in java

It looks like you define the hops from a list of publically accessible nodes. If your aim is to layer proxies, you are probably looking for proxychains

@rocky horizon

if your aim is 'anonymity, good enough unless your adversary is a nation state', you're looking for tor

I've heard of JonDo proxy, but never used it. I didn't know it was still a thing, and wouldn't use it now.

@tribal stag is right. You'd want Tor unless you've pissed off the NSA, which in that case gg.

There's not one bit of this that doesn't sound illegal

!rule 5

<@&267629731250176001>

!warn 311919809895858177 "That discussion is not appropriate for this server"

:incoming_envelope: :ok_hand: applied warning to @rocky horizon.

Umm its my local server so🙄🙄🙄🙄

Does not change the nature of it.

I just asked if jondoe will do my shit

Hey, between a ssh connexion, and a VNC connexion, which one is the safest?

well

VNC is completely unencrypted

SSH is not

decide for yourself

I guess it's best to use ssh + X11

weeeeeeeeeellll

since I'm not a cmd killer, I think I would need sometimes a interface

there are some security concerns with a certain mode of X forwarding over ssh

as is mentioned in the OpenSSH client manpage

     -X      Enables X11 forwarding.  This can also be specified on a per-host basis in a configuration file.

             X11 forwarding should be enabled with caution.  Users with the ability to bypass file permissions on the remote host (for the user's X authorization data‐
             base) can access the local X11 display through the forwarded connection.  An attacker may then be able to perform activities such as keystroke monitoring.

             For this reason, X11 forwarding is subjected to X11 SECURITY extension restrictions by default.  Please refer to the ssh -Y option and the
             ForwardX11Trusted directive in ssh_config(5) for more information.


     -Y      Enables trusted X11 forwarding.  Trusted X11 forwardings are not subjected to the X11 SECURITY extension controls.

An attacker may then be able to perform activities such as keystroke monitoring On server-side, or from the controller computer?

i think what's meant is that a user that has compromised your server could get access to your local X11 server as the X forwarding allows the remote connection to act as an X client. And as X is a protocol not caring much about security the principle is that every keystroke is sent to every x client

which could in theory allow an attacker on the server to keylog you via this connection

at least thats what i think they mean

hum ok. I'll stick with ssh command line for now then.

X over ssh is painfully slow, whenever I've tried it

i remember a colleague of mine having a nice program that helps with that

but i dunno remember the name

yeah at work some people use some super-complex thing that claims to make it go faster, but it too sucks. I just use console-mode only for my remote stuff

https://www.nomachine.com/ is what they use. I found it not worth the effort.

i mean im all for console there was justone occasion he had to use it

and it wasnt really complex at all, just some command line tool

if your network connection is snappy, your "screen" is small, and your personality is patient, plain X over SSH will be fine 🙂

what is the best way to Encrypt Android phone ?

using androids inbuilt encryption

under "Security & Lockscreen"

Hey. What would be the best way to go about securing some on-disk json data with a password? From what I can tell, a key derivation algorithm like argon2 to generate the key for an algorithm like chacha20 or an AES mode should be good? I'm a little hazy on the IV component though. Is it alright to be saving that as plaintext along with the encrypted bytes to a file?

This is very small amounts of data so performance won't be an issue

How are you using the information?

i.e., are you storing it in a DB? Is it just random JSON data stored on-disk? If it's the latter, VeraCrypt/LUKS would work. We need more information.

Data that needs to be store on disk of the users of the application I'm doing

And transportable as a file

who are you protecting the data from?

Malicious entities/software

😐

like for example?

If a computer is compromised the data is not

wrong

if the computer is compromised, the game is over

I guess it is possible for keyboard inputs to be captured

they surely can

But that's unimportant

including when the guy is typing in his password

the only case I can think of, where on-disk encyption makes sense, is: someone steals the computer and takes the disk out, and wants to get the information off of it.

but if there's evil software running on the computer, game over; we all lose.

Not necessarily

yeah yeah if the evil software is running under some user account that doesn't have privilege to read your file, sure OK fine

From a software perspective, yes

Not from a human one

Stealing a folder from a hardcoded path is much easier than setting up a keylogger and sifting through possibly weeks of data for 7 keystrokes

knock yourself out

The way I see it, there's no reason not to encrypt this data

It decreases the attack surface and adds a time and effort barrier

This application would be password protected anyhow so the user isn't suffering

@sly sonnet is this software running on end-users machines or ones you control?

End user machines

there's a few ways you could go about this

depending on who you're protecting against

if it's other software with filesystem access to the user's data at rest (ie when your software is not running), then:
generate N random bytes to use as a key. Store them in the system keyring. Then access that key from the system keyring on startup and use a good symmetric cipher to decrypt the user's data.

That sounds quite good but wouldn't that hurt portability?

yes

I would rather the files be self contained so they could be transported

system keyring support is better on Windows and Mac than on Linux afaik

oh hm

Yeah you could do that as an export/import system

backup/restore

where it reencrypts with a random key and gives the key to the user

That does sound like a good solution but this would ultimately needs to support all three platforms as well though

I don't have experience working with OS keyrings. it's something you could look into.

keep in mind that portability often means special casing all platforms 🤷

Maybe there's a library that abstracts it

How come?

If they all do the same thing differently then you don't have much of a choice

Something potentially easier and more portable, but trickier in other ways, is to do the same thing, but have the user store the symmetric key, and using argon2 or some other key-stretching algorithm.

Already using argon2

yes

anyway the gist is the same

use argon2 to derive a symmetric key

use a symmetric cipher to encrypt the data at rest

Yep doing that

And the nonce component?

Just store that in plaintext along with the encrypted data on disk yes?

uh

what are you using that requires a nonce?

Well, IV

ChaCha20

But most AES modes need one anyhow

https://pycryptodome.readthedocs.io/en/latest/src/cipher/chacha20_poly1305.html

I'm a bit over my head here but I don't think you need a stream cipher here

lemme read a bit more

Oh I'm just as hopeless don't worry

from what I can tell you'd be better off with a block cipher such as AES

but I don't think AES is the right choice here either…? since it's asymmetric you need a public and private key

I don't believe AES is asymmetric

AES is absolutely not asymmetric

With everything I read I get more and more confused as to watch I should use

As it does not matter whether the same plaintext always produces the same ciphertext, AES mode SIV seems to be good for my purpose

I don't understand what you're making, @sly sonnet

I was under the impression this was on a server or some such. What's the JSON and what's it doing on an end-user's machine? Why does it need protected?

need some advice for a flask app

that I made/making

well then ask

instead of saying oyu want to ask

okay so, I have a key based auth for a flask app, connects to a server and verifies key and then renders the next page. ill mention Ive only done the backend (py) and we hired someone else to do the front end.theres a problem with the way it is right now tho. when youre at the login page, you can manually go to the url of one of yhe other pages, bypassing the auth. whats something I can do to avoid this? should it be backend or front end? ill also mention that the urls of the other pages are in the html

first of all authentication should obviously be handled in the backend

and

just have a cookie that shows the user is logged in or not and if he isnt dont allow the access i guess

yeah the auth is backend, which was done by me. and okay so youre saying that my problem is on the front end?

well i dont understand how your issue is even possible if the key gets verified

it gets verified, then renders home.html. but the way the html is set up, I guess it has like each page url hardcoded in, so like if you just put in a url, it jumps auth and everything is fully functioning. granted this app isnt gonna be reaching a bunch of people, and doesnt hold sensitive information, this is more or less practice with larger projects, and me working on security. im not sure what to do at this point tho, as everything ive done to try to eliminate functionality just returns internal server errors

aka breaks the entire thing

that just bullshit

that design

if you for example have a profile

you should have a profile.html template in your backend written in jinja2 for flask

that gets filled the information from the account thats associated with the key

so which part is bullshit? lol as I said, I didnt write the html/css/js so if thats it, I have to talk to the person who did. if its something else, thats on me

the whole design

from backend to frontend

flawed

okay but as I said, first time doing this shit, you’re acting like I do this for a living

people gotta start somewhere g

nah if i was acting like you were doing this for a living i wouldve told you to stop doing^^

when someone asks for advice, they need help obviously. the proper response isnt to call everything bullshit lol

well im just saying the entire design is flawed

because youre asking for what part is flawed

k thanks

so

usually when designing a website that has authentication, or any user stuff in general with for example a profiles page

you have a template written in https://jinja.palletsprojects.com/en/2.10.x/ when youre using Flask. Then once you get a request you verify the API token and find the associated user in your DB, fill out the flask template with the info you got and send it back. so for example youd have the URL

example.com/profile.html

which gets a request with a JSON content like

{
  "token": "uuid4 thingy or so",
}

then you check in your DB if "token" is

1. a valid token
2. for what accoutn its valid
   Then fetch all profile info from that account, fill it into the template which will generate you some html

and then return that to the web browser

okay thank u

@thorn obsidian Sorry about any confusion. This is an application run by users which has sensitive information personal to the user that needs to be stored on disk and password protected

Im trying to write a telnet honeypot to for IoT goal is to report nets but need help with login system as it needs all login to be true

I suggested that @thorn obsidian should look into telnetlib but I have no actual experience with this, so I sent him here to get help. you guys are so talented, maybe anyone have an idea?

yeah i know nothing abt telnetlib im using sockets trying diffrent things atm

Worked it out

utf-16-le has to be used for encoding

i was trying to use utf-8