#cybersecurity

And we've clamped down the login attempt functions to something like 6/min if I recall correctly

As a counter to brute force

(Everything after the 6th login attempt in a minute gets served 429 Too Many Requests)

per account, or per IP?

anyone have any experiencer on sqli injections

@thorn obsidian per IP

Using werkzeug proxy_fix to get the correct IP out of the Forwarded-For headers

!ask @tranquil basin

@hollow moth so if I attack cycling through my ipv6 subnet, I get 2^64 * 6 attempts a minute? ;)

@thorn obsidian no, I don't think Werkzeug's proxy fix cares about your subnet

werkzeug's proxy fix doesn't do a thing if I don't supply any forwarded-for headers

or, rather

there's no NAT happening on my end

if you pass the request to your backend with the X-Forwarded-For header, the specified host will be different for each attempt

that's interesting

what would be a method to handle it for more obscure things like that?

first thing that springs to mind for me is an nginx reverse proxy with a fail2ban rule

So, you'd do it based on account

6 attempts per 10 minutes is a good idea, and then temp ban the account login for 24~ hours

Though, setting it to new logins would be a good idea. Otherwise you have a DoS

I found a brute forcer that take an input that is in the code then attempts...
Takes forever if there is a capital letter tho...

password is Hello. found in 651397311 guesses.
This just finished

you ran a program that did 600 million somethings? Geez

I got it up to 1 bil after...
I can post the code if you want because it can't be used maliciously

it does about 2 mil a second... I think

1ghz is 1 billion cpu cycles per second

I think that's a good point of comparison for how muck work is done

I imagine "check one password" would be thousands, tens of thousands, or even hundreds of thousands of CPU cycles

I don't want to dedicate my whole computer to testing a brute force program...

that's why people build dedicated machines for that :) at work, we have a "crackstation" with 6x2080Ti cards in them solely for cracking hashes

:D

it's also why you wouldn't start by brute forcing @cold fossil

you'd have a list of dictionary words, most common passwords, etc, etc that you'd run through first

ya...
I need to find one...

common passwords list?

a dictionary is easy to find, a common password list also

Passwords are interesting in that sense. UPPER [26] + lower[26] + digits[10] = 62. Make a 32 character password, and you have 32 ** 62 - or you know, only 2085924839766513752338888384931203236916703635113918720651407820138886450957656787131798913024 possibilities. 😄

exactly...

but all it takes is single correcthorsebatterystaple and your possibilities are massively narrowed

bet that's in a few rainbow tables

But you cant determine a part of the password of a larger password through a hash

no but the length of your password is irrelevant if it's commonly used

which is kinda what i meant

Password databases!

i'm a big fan of the HIBP api

the breached passwords database is an excellent filter

@lusty flare How would you use it?

i want to use it on active directory for a customer

but they're a grumpy guts and wont pay for it

I mean more, how would you implement it? Packages? Etc

there's a decent guide on integrating it with AD

i gave it a read a while back

I mean more, implementing https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/

probably compare on password creation and regular checks on existings

hash locally and send the first n bytes of the resulting hash to hibpasswords

that's how the browser client does it

@thorn obsidian Sure, that's what that link talks about. Just curious if there's an easy way to implement this into a site.

aye, there's an API if i recall correctly

yeah

can just plug it into the password creation/modification routine

it costs moniz now though

orly

like $3 a month iirc

oh that's decent

yeah

he was fed up of it being abused by people checking addresses etc that'd been in breaches

clearly malicious usage

so he put a low fee on it

still haven't managed to sell my HIBP service to any customers :|

@lusty flare You sure? https://api.pwnedpasswords.com/range/90910 works just fine

maybe it was just the email address part

Edit: Just to be crystal clear, this doesn't impact Pwned Passwords. Cloudflare picks up pretty much all the costs for running that so the service is still freely accessible.

ahhhh

Surprised they're doing a SHA1 lookup..

well it's not like they're actually storing passwords

i suspect it's for performance reasons

It's more that, you'd need to take in the user's input and then sha1 it to do the check. Then if it was good enough, using argon2 to store it in the DB.

yeah

https://www.theregister.co.uk/2020/02/26/zyxel_security_hole/

The devices' weblogin.cgi program fails to sanitize user input

niiiiiice....

10/10 in severity

and no back patching for out of support devices

what

i have literally found and reported this bug before in a pentest

but that was a different zyxel device type

it was SO bad

it's soooooo bad

they also serve their firmware over FTP still

it got a "not ready for production" warning

their web server (which runs as root btw) crashed so much (due to memory corruption) that they decided to simply run it in a while true loop

god i wish i was joking

haha

i've rocked up to a few sites that've had them as routers

straight in the bin

replaced with drayteks

Zyxel in general is trash. Even as residential devices, they're trash.

yeah

ISP's often bundle them with connections

Hey

i am new

so, how much do u guys think that Python is likely to be the shield for Computer Security algorithms and security matters?

if you mean cryptography with computer security algorithm

you dont want to write those in python

but python is used for lots of automatisms etc in cyber securiy for sure

Oh ok

Actually I am new to this grp and Python that's why.

I think python is mostly used to run security check programs, or audit

which is a better lang to learn for a beginner in cybersecurity? python or c++

python... easier to read but c++ is more powerful

Really depends what your goal is I think. Cyber security is a vast field

thanks

try and at least grasp C/C++ as a lot of exploits are written in them

how secure would you say using GitBash to make a chat room would be?
I have my ways of doing it but what would you say?

That question doesn't make sense to ms

At all

nvm...

learned it was a bad idea...

What you said above there doesn't make sense

You don't use git to make software you use git to version it

And that's always a good idea

pretty much it would take input from a user and update a github file.
Then the terminal would print updates to the file.
This would let people who are watching it to see the terminal and talk
in theory

but it was a bad idea

prohacker26

lol

that name

"you use git to version it"

@inland palm you should never ever ever write your own crypto, regardless of language

That said, there are very good libraries out there

Use those

That said, there are very good libraries out there
@hollow moth Oh ok, i will from now onwards. Thanks for the tip 🙂

@inland palm for example, werkzeug (which comes with flask) has a function that salts and hashes a password with one function call

So, i kinda need clear something hashes

hmac library for signing stuff that you might need to later prove came from you

Um

abt*

Ok ask

So, basically the question is on what level is Hashing a password important?

@inland palm very. Passwords should never be stored in plaintext

You don't need to know what the password is, only that the entered pw matches the pw from signup

That way, if the db is ever leaked, it is very very difficult to determine what someone's pw is

@inland palm make sense?

Yeah. That does it.

passlib comes with argon2, which is what you should use for passwords

https://passlib.readthedocs.io/en/stable/lib/passlib.hash.argon2.html

I am creating a JWT and I am getting a ValueError because it cant deserialize key data. I have created a private.pem file and I read it each time I want to create a key

This is a part of the pem file

    headers = {'alg': 'RS256'}
    payload = {'userId': str(User.username), 'iat': time.now()}
    key = read_file('private.pem')

Why would you show us your private.pem?

to be fair it's only like 10% of it

^^

does anyone know anything about IPv4 addresses and subnet?

Just ask your specific question. If somebody knows, they'll respond.

is secrets.SystemRandom().random() recommended for salt?

@regal stone For a password?

Yes

I'd personally use https://passlib.readthedocs.io/en/stable/lib/passlib.hash.argon2.html

ok I will see it

>>> from passlib.hash import argon2

>>> # generate new salt, hash password
>>> h = argon2.hash("password")
>>> h
'$argon2i$v=19$m=512,t=2,p=2$aI2R0hpDyLm3ltLa+1/rvQ$LqPKjd6n8yniKtAithoR7A'

>>> # the same, but with an explicit number of rounds
>>> argon2.using(rounds=4).hash("password")
'$argon2i$v=19$m=512,t=4,p=2$eM+ZMyYkpDRGaI3xXmuNcQ$c5DeJg3eb5dskVt1mDdxfw'

>>> # verify password
>>> argon2.verify("password", h)
True
>>> argon2.verify("wrong", h)
False

Pretty good docs, and great package in general. I use it in production.

personally I use werkzeug.security

sha512 into 150k or 500k rounds of pbkdf2

Yup werkzeug is very very good

argon2 is a better algorithm, considering sha512 wasn't designed for passwords in mind.

yaaaay

letsencrypt bugs

https://arstechnica.com/information-technology/2020/03/lets-encrypt-revoking-https-certs-due-to-certificate-authority-bug/

time to go find out which of our customers have been hit

not supposed to be working today but urrrgghh

I got an e-mail yesterday about that

Sent some messages out to a few contacts who I knew would be affected. Lack of sleep yesterday made me forget about posting it here.

i don't check my work mail outside of work hours

aint gonna be no digital work slave

how would a discord token be fetched programmatically

before it used to be stored in local storage which could just be parsed on the filesystem, but it's not that clear anymore and everyone only finds it now through the authorization headers

why do you need this?

so i know about potential attack vectors that malware can utilize for pc defense reasons

... or you could be using this knowledge to make malware (or even if you had a legitimate reason to fetch the token, I don't see what you'd use it for that doesn't break the ToS)

seems shady

ya but that's not my intent

i am just genuinely curious

how a malware would do it

because ive had my token stolen before

somehow

maybe it isn't your intent, but it might be someone else's in this server who happens to be reading this channel

yeah i wouldn't help with stealing tokens

just because it can be used to break the tos doesn't mean that talking about how it would be done is breaking the tos itself

anything can be used to break the tos

the way i see it, the more ppl know about it then the more awareness it spreads as well so it balances itself out in the end

!rule 5

it doesnt break laws

and its not against the tos

may breach terms of services, may be considered malicious

ya but it doesn't

token stealing definitely fits in that category

it's not stealing

who said i want to steal

i asked how it could be scraped off my own pc

i don't see how "scrape off my own pc" is any different from "scrape off someone else's pc"

i still think your point is moot
you can use any knowledge maliciously

how do you know someone asking for help recording keystrokes

isn't using it for malicious reasons?

it "may" break the tos too

<@&267629731250176001>

it teaches ppl how to keylog

no reply to that i suppose?

I don't see how scraping tokens can be used for any legitimate purpose

just ping the mods and dodge my reasonable counter argument, i have no malicious intent as i said, my token was stolen before and i was wondering how a program would do that since it's not as clearcut as it was before

have you read anything i said

you are just assuming my intentions

they're correct, we don't allow discussions about anything easily put to malicious use and we don't care about intent

https://i.imgur.com/CsxPqj9.png

what about these 150 messages?

a keylogger is far more likely to be used for malicious reasons

we agree. we don't allow keyloggers either

that's weird because there's tons of legitimate programs that would want to record keystrokes

don't care

anything else?

may as well just ban all programming topics then

since anything can be used maliciously

are you going to delete those 151 messages

yes, welcome to the slippery slide argument

that talk about keylogging?

probably not

i'm discussing your own messages

so i guess you don't really care

ya but

now i am talking about those messages

you should clear them

very nice "whataboutism"

if you really care

i mean

if you care about ppls security

and your own rules

its not a good example then

!tempmute 368959108826529802 1D Seems you don't really care about what staff is indicating isn't allowed, you just want to argue your point. Go away for a while.

to leave them up

:incoming_envelope: :ok_hand: applied mute to @mystic hawk until 2020-03-06 11:08 (23 hours and 59 minutes).

It's beyond me that such a rule exists

Anything in infosec would break rule #5

There go all the malware research ever

if you read any of the regular chat history of this channel you'll find this is not the case, no

and there's a distinction between "protecting yourself against X and Y" vs "being able to pull off X and Y" - ie, "how do I protect against SQL injection" (use parametarized statements) vs "how do I perform SQL injection"

But don't all "write-ups" fall into the latter category?

uh, yeah, they do.

Should I not share write-ups here?

i generally wouldn't see an issue with sharing write ups on specific vulns, i've posted my write ups before with no issues, the issue arises when you're helping someone who has asked to do something which can be considered malicious, ie "how would I programmatically steal tokens"?

I had to do that for a bug bounty report recently, so I don't think it's exclusively malicious

Yet, I get your point

Btw, @thorn obsidian, mind sharing your blog/write-ups?

sure! I've removed some of them due to reasons, but https://neonsea.uk/blog, security related writeups are the ones with the CVE tags (and some without any)

i haven't posted anything recently due to being actually employed as a pentester

just haven't had the time to research things in my free time and I obviously can't post work-related findings on the 'net

Sweet!

I'll read some

have you posted anything publicly? @magic rain

I've done some guest-blogs and collaborations

I was a part of https://edoverflow.com/2019/ci-knew-there-would-be-bugs-here/

Currently waiting on a vendor to fix a vulnerability so I could publish its write-up

that post is very interesting.

Yes Indeed

Was fun to work on

hey guys

how to create a digital certificate

usually you'd do it with something like openssl

and if you're after something that's not self-signed, letsencrypt is always an option

I use letsencrypt; after spending quite a while searching for helper code, I found one that's easy to use

https://gitlab.com/offby1/teensy/-/raw/master/ssl-thoughts/letsencrypt.md if anyone cares

cool

any advantage of lego over certbot other than ease of use?

i've got certbot managing my nginx shit using plugins and stuff (so it automagically reloads the sites when ssl is renewed), can lego do something similar or will I need to script it?

i still have a shell script managing letsencrypt

set it all up before there was proper support for nginx

Speaking of nginx

Learned this the other day

Had no clue nginx would just apply your first configuration if the host header was random

"Why why why why why why" — Chandler from Friends

"random"?

If it's one you've not specified to capture

ah, undefined

yeah, quite often you can slap in the IP address of a host and get the default server

the bit that frustrates me the most is not being able to blackhole the host IP on HTTPS

aha

Well, Cloudflare blocks all types of host fuckery

yeah

Cloudflare everything, my friends

i think they used to use nginx to handle requests

Interesting

read a thing about it a while ago

I'd be scared af if I had nginx running on a huge infrastructure

Day by day, I learn new quirks

But that's probably with everything

The Internet was a mistake

well, at least it's not apache!

am i right?!

:D

Oh god.

https://blog.cloudflare.com/end-of-the-road-for-cloudflare-nginx/

that was the thing i read

Does it have tips on how to not mess up?

I have a proof-of-concept server running on nginx that is worth more than gold

what'd you have trouble setting up in particular?

Nothing really. It's just the surprise aspect of learning the "host" quirk

20 employees

Jesus! That's not enough to manage nginx

😆

sure it is!

all their stuff is done programmatically

i manage an nginx server for work

not that tricky

Did you know about the default_server business?

What do you people read to discover that?

the documentation

:D

Classic.

apache has this "problem" too.

Yes, I was told by a friend

I mean, if nginx has it

then apache must too

With Apache's complexity (or attack surface), I'd be even more paranoid

the only reason apache has a higher attack surface is the vast amount of mods you can bolt into it

at this point in time there's very little reason not to use nginx

Agreed

I suppose I should try launching a "test" Apache server just to learn things

Virtualization is a good way to learn

nothing beats fucking it up in virtual first

fuck. you.

3 uppercase, 3 lowercase, 3 numbers and 3 symbols?!

must be at least 8 characters long
3 + 3 + 3 + 3 = 8

:D

galaxy brain microsoft

and i'm in the wrong licensing portal anyway

yo

idk if this is the right channel

but

i wanna do cybersecurity but im not great or big into programming

i wanna do pen testing

should i just change my degree

generally, pentesters also know and do programming on the side

without programming knowledge, you will feel a bit lost

How does STIR/SHAKEN deal with text messages? Because I feel like it doesn't do anything with SMS/MMS, and that'll be the next step for malicious parties. 🤔

https://www.theregister.co.uk/2020/03/05/virgin_media_subscriber_data_leak/

womp, as they say, womp.

marketing database – containing names, home and email addresses, and phone numbers, and some dates of birth, plus other info – had been left open since mid-April 2019.

mother fuckers

hah, their response is gold too

We have put all of the latest information on our website, including some advice on how to stay safe online, such as:
[...]

• How to be vigilant by not providing your personal information to anyone suspicious online, by phone, email or text.

also telling people to use strong passwords when their own password policy has a 10 character limit and doesn't support symbols

Lmao

I mean, if they couldn't manage locking a database up, how are they giving such advice?

well, they all have to have a password policy

it's just most of them never follow NIST guidelines

fuckin' reminder

https://twitter.com/virginmedia/status/1162756227132198914

their twitter is a gold mine for security lol's

this is an old write up, but it's gold.

https://paul.reviews/virgin-media-youre-only-as-secure-as-your-weakest-link/

dob in password recovery page (secret question + dob) being stored in source

security question was "Its A SeCrEt" or something but lower case and no spaces was accepted

that's from like 2014, but still

Let's Encrypt has halted its plans to cancel all three million flawed web security certificates – after fearing the super-revocation may effectively break a chunk of the internet

think you pasted that twice

https://tenor.com/view/curse-you-aukerman-comedy-fist-gif-5620082

curse you synergy!

Joke's on you, I already re-did my certs!

same, i didn't even get the heads up email either. just thought it better safe than sorry

https://security.googleblog.com/2020/01/say-hello-to-opensk-fully-open-source.html Another thing they'll abandon in 6 months

that's someone who's not getting a promotion

should've worked on a GMail redesign

https://www.theregister.co.uk/2020/03/06/nordvpn_no_auth_needed_view_user_payments/

nord VPN having a shit one this past...

uhhh.

a while

that's a staggering fuck up

That's pretty bad, yeah.

"Such reports are one of the reasons why we have launched the bug bounty program. We are extremely happy with its results and encourage even more researchers to analyze our product. This is an isolated case that potentially affected only a handful of users, due to the implemented rate-limiting. Theoretically, only email addresses could have been seen by a third party."

that is not how you respond to a failure like this

potentially and theoretically are doing some heavy lifting there

this was an isolated case

doubt it

99% of the cases, if it's possible to read data unauthenticated from one endpoint, there are also other endpoints like it

i also scoff at the idea it only hit a small number of users because of rate-limiting

"oh no, i've been rate limited... better wait for a bit before i siphon off more data."

said no malicious actor ever

Is sha256(email+timestamp+sha256(password)) secure ? Given that the attacker knows the value of the whole expression, email and timestamp, is it easy for him to guess the password ?

Well sha256 is not secure anymore for passwords because it's too fast for computer to calculate, no matter what you put into it.
Just use a proper password library like argon2 or something.

@north fern No, it's not secure.

You honestly have no excuse to not use argon2

https://passlib.readthedocs.io/en/stable/lib/passlib.hash.argon2.html

I thought so. I'm not implementing anything, I was examining an API I might have to use

Oh, ew.

Given it's via https it's probably not the worst. I mean whenever you login to a website you're sending your password just like that.

It's an URL param

@wraith violet There are levels to https though

Totally different from TLS 1.3 with strong ciphers, as opposed to SSL 2

https://wiki.apix.fi/display/IAD/Rest+API+for+external+usage#RestAPIforexternalusage-AuthenticateByUser

Also using certificate pinning, hsts, etc

@north fern That's a horrible design

To be sure I understand.
SHA256 is quick to compute, so it makes it easy to bruteforce anything, right ?

In that case, attacker brute the first whole expression, he knows he has the right guess when the email and timestamp that he knows are correct and then he most probably has the password hash in a dictionary (rainbow table) ?

SHA256 is also used in Bitcoin, so there's a lot of processing power used toward it as well.

So it'd be pretty easy to find something cheap designed specifically for SHA256

And you would do something like that ?

for nonce in all_256_bits:
    hash = sha256(email + timestamp + nonce)
    if hash == digest:
        break
password = rainbow_table[nonce]

some of those ASIC devices are insanely fast

Well, we won't use that provider xD

i mean, it's academic to talk about breaking a hash that contains a butt load of combined information i think

oooh, the attacker knows the email and timestamp

my bad

@north fern Also, your code above is only using 3 space indents

👍

I typed it directly in Discord ^^

The if is off as well 😛

I'm not actually trying

But I'm curious where they're pulling the nonce if they're winging their hashing

Considering setting up argon2 is pretty easy. You verify the user's input is what you have hashed with your sha256 hash, and then replace it with the new algo.

I use industry standards and trust them. I hope Django has my back.

Anyway, thanks for the answers

No problem

I wouldn’t be comfortable inputting a timestamp and email into the hash

It serves no good purpose

It's very much why you don't wing it

Now that I think about it, isn't it pretty much how JWT works (https://jwt.io/) ? And there it's even worst as you guess the server secret, not just one user.

that is not how jwt works at all

and i don't see how you're going to "guess the server secret" seeing as it's usually 4096 long

I was about to say it ^^. It's much harder because server uses a really strong secret.

you're not supposed to send sensitive data (such as a password) via jwts

jtws are simply signed tokens to prove authorisation

you pass it to a server which can check that the token is valid (and not forged by the user) by seeing whether the cryptographic signature matches

but I do think it's similar:

response = request(user=my_own_username, pwd=my_pwd)
header = response.jwt.split('.')[0]
payload = response.jwt.split('.')[1]
digest = response.jwt.split('.')[2]

for nonce in all_256_bit:
    hash = sha256(header + '.' + payload, nonce)
    if hash == digest:
        break
server_secret = nonce

what

no

what is this

no

this is not how you do jwts at all

No ?

Right

https://jwt.io/

I read this but I didn't understand apparently

let me read again

@thorn obsidian I didn't mean to create a JWT, I meant to break it. Above, I make a legit request to a server with my own credentials, I receive the response which contains a JWT and using that JWT I try to guess the server secret.

You're not going to guess a server secret. It's 4096 characters.

I agree, it would take too much execution time, but the above code is correct, isn't it ?

I knew it wouldn't work, or else we'd be many to be screwed, I wanted to know if my reasoning was correct.

i mean, yes

i guess

ah sweet

just noticed a fail2ban IP

CIDR:           52.224.0.0/11
NetName:        MSFT
NetHandle:      NET-52-224-0-0-1
Parent:         NET52 (NET-52-0-0-0-0)
NetType:        Direct Assignment
OriginAS:       
Organization:   Microsoft Corporation (MSFT)```

nice.

Read the following if you don't want to get pwned using JWT: https://research.securitum.com/jwt-json-web-token-security/

Also lol

@north fern How the heck will ya crack a JWT token?

impossible

@magic rain I don't want to, just wondering stuff about the theory

Gotcha

something to note here: tokens themselves, in their current state, can be considered "uncrackable" with most algorithms

however, certain implementations can be broken

for example, there was very common implementation issue where most implementations blindly trusted the user-supplied alg parameter, which meant you could in practice spoof signed tokens

you can learn a bit more about this here: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/

what is a secure webserver implementation in python that is most similar to the simplehttpserver ? I am having trouble finding the right search terms it seems. I am trying to re-write an old game from php to python and I need a way to handle web requests simply. once I have a first draft re-written I plan on refactoring it to use a more robust system, but I need to be able to test it on the open internet and I want multiple layers of security so server authentication is just one of many options I want including a secure python server

youd want to go for a framewokr like flask or django with something like nginx and gunicorn infront of them

thank you lol, I seem to be the person everyone ignores when they ask a question! I am planning on using nginx and mitmproxy with snort and have the application running in a debian VM. I just don't want people using any tricks I'm not aware of and accounting for in the higher levels of the service

I'm not a web app security person lol... well t least not on the production side rofl

@orchid notch what about twistd?

twistd is for twist applications

i dont thing you want to write a webapp in twist unless twist has changed in the last 2 years

Twisted is great, but I don't believe they have a web server: https://twistedmatrix.com/documents/current/

Like Nix said up above, you'd want to use flask/django with nginx/apache and gunicorn

Oh, looks like they do have one. Never used it myself though:
https://twistedmatrix.com/documents/current/web/howto/web-development.html
https://twistedmatrix.com/documents/current/web/examples/index.html

hello

any ctfs ?

django + apache = goals

flask is one underpowered web framework

it is designed to be minimal and easily extensible

if your critisizing flask for not being a fully fledged thing like django you havent understood it @thorn obsidian

It's disappointing there isn't a system like STIR/SHAKEN that can handle SMS/MMS 😦

how do I handle collisions in https://docs.python.org/3/library/secrets.html#secrets.token_hex ? Try again? Use something like uuid instead?

Let's see

If you get yourself 64 random bytes the probability of a collision is 1/2^64

I need to generate refresh tokens for my app, I'm planning to use 48 bytes

That's round about

Okay 48

The probability of a collision is 3.5527137e-13%

So

If you don't happen to really create a lot of tokens you should be fine

Actually no

That's bs

The probability is 1/(2^48)*8

yeah

so do I retry if collision happens?

or add 1 to value and try to push it to db again

You can be very much sure a collision never happens so retry

but isn't that a probability of 2 tokens colliding

what if I have 100 000 saved tokens and 1000 of them are regenerated every day

Yeah that's a much higher probability then

But still in the millionsth of a percent

virgin lied about their 900k breach

https://www.theregister.co.uk/2020/03/06/virgin_more_leak_details/

they said it was "limited contact information"

• Full names, addresses, date of birth, phone numbers, alternative contact phone numbers and IP addresses – corresponding to both customers and “friends” referred to the service by customers.

• Requests to block or unblock various pornographic, gore related and gambling websites, corresponding to full names and addresses. IMEI numbers associated with stolen phones.

among other information

well, it's "limited" because, in theory, it could also include their pets' names, but didn't.

if anyone wants to help me develop a EH system, DM me

@random peak EH system?

"ethical hacking" is the only phrase i know of that the acronym "EH" stands for

but I have no idea what an "ethical hacking system" would be

yeah a ethical hacking system, it would be a python program that has hacking abilities, but would only be used for ethical puposes

uh yeah no

!rule 5

It wont be used to break the law. Its ETHICAL hacking my guy

@random peak Doesn't matter, rule 5 still applies here

just because you slap the word "ethical" on it doesn't mean it suddenly can't be used for illegal purposes

It Could be used for illegal purposes, but im not selling it. Its for my use only. If you dont want me to advertise for help thats fine.

again, the rule doesn't care about intent, it specifically states "projects that may break laws", not "projects that will"

True true. Ill stop advertising it.

thanks dog

Np

hey @thorn obsidian wanna help me with the development of my ethical missile?

it'll only be used to deploy bananas to people who need them

🙄

I get your point

hey guys I have a question about https and vpn. When I make a get request to web server over ssl, can a vpn provider see data content?
a friend of mine needs to connect a to vpn server to file a tax return online. He is afraid of sharing his credit card information with the vpn provider

with https (which should use a sufficiently high version of TLS, the successor of SSL, which is now considered insecure), the content of your requests (and responses) is encrypted. Your ISP or VPN provider would only see the target IP of the web server (and your own), as well as metadata like the transmitted size and timestamps. The actual URL and content should theoretically be safe.

but vpn provider makes the request on behalf of me in this case I would assume vpn is more like a father that needs to know everything to make the request since I cannot do it directly. If vpn server and the web server talk TLS then VPN provider can also decrypt the response To my knowledge web server doesn't know about me.

@tight abyss How come ISP would see the target IP of the webserver?

Somebody needs to know the ip to route your connection. Normally this would be your ISP. If you use a VPN, the VPN provider would get to know your target IPs, whereas your ISP only sees you connecting to the VPN server.

The VPN server does (should/must) not intercept and decrypt your https traffic.

That would be a man-in-the-middle attack. And unless they have installed a root certificate on your machine, you would notice that when you visit any https site, because only the original web server has the correct private key for its certificate. Any man in the middle can not re-encrypt traffic and make it look like it came from there.

https://twitter.com/malwrhunterteam/status/1237438376032251904

aw shit, here we go again

sigh

Recommended workaround according to Microsoft is to block any connection to your SMB server from outside the network and enable some option that disables compressed packets

However they do note that smbv3 client is vulnerable as well^^

And there is no workaround for that so a vulnerable server should be able to take windows 10 machines over

Yay

yeah

i mean

now it's out, surely they have to release a patch out of band

https://www.theregister.co.uk/2020/03/11/windows_xp_ministry_justice_vpn_workaround/

woah, this latest patch round is stuffed with stuff

CVE-2020-0852, a remote code execution flaw in Word.
viewing a specially crafted file in the Preview Pane could allow code execution at the level of the logged-on user

SAP's just patched a shit load of +9 rated ones too

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305

more deets

https://securityaffairs.co/wordpress/99340/hacking/cve-2020-0796-smb-flaw.html

deeeeeeeeeeeeets

wonder how easy it'd be to get people to click on a samba share link

guess not

Does this paragraph mean scan files with antivirus?
The application should perform filtering and content checking on any files which are uploaded to the server. Files should be thoroughly scanned and validated before being made available to other users. If in doubt, the file should be discarded. - https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload

yes.

Thanks.

this is easy to test with the EICAR test string

Thanks! That's very helpful.

specifically, this is V12.4.2 in ASVS 4.0

https://www.owasp.org/images/d/d4/OWASP_Application_Security_Verification_Standard_4.0-en.pdf

Should I read all that?

no, it was just for reference, can do CTRL-F "12.4.2"

Oh, ok 🙂

the stuff in there is useful to know, though

a lot of the things there you don't normally think about

That document seems interesting, think I will read anyway ^^

Thanks again.

lets say that I have my credentials (like a google api key, postgres password, discord token, etc) - outside of environment variables what would be the best way to store them securely?

i thought about hashing + salting but would those not require me to also store the hashkey and salt to be able to decrypt them thus making it irrelevant.

P.S. I am very new to this subject matter so I would be grateful for any input :)

There is no such thing as a hash key

Hash functions do not have an inverse function

If you want to use your passwords inside a program use environment variables, it's the simplest way

At the point where an attacker can start reading your environment variables they do most likely have access to the user account that has the env variables set anyways > they control the process that's using the passwords and could probably take it over with a little effort

So

Wether they just read the passwords from the environment vars or your program is not really something that matters at this point

do environment variables persist across sessions. so that if i had a power outage or whatever, i could just start back up the process without having to enter 3-4 api keys

Well you can just put them in certain files that get sourced when something logs into your account like your .profile or .bashrc or whatever

and those files are secure?

Point of env vars is not to hide the passwords from attackers but rather avoiding to commit them into a public repository

Security is always relative

secure unless someone gets access to my pc

If you set permissions on them so nobody except your user can read and write it's kinda secure unless the attacker gets access to your user account / an admin account

okay, that beats having them in a json 🙂

you could still have them in a json, just restrict who has rights to that file.

but env vars is best practice

I have to set a minimum size of file to prevent denial of service attack? It doesn't specify a size.. and I don't understand why it would matter, so can't pick one myself (for image file upload). https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload

i personally wouldn't pay much attention to that

Ah ok. I won't either then. Thanks!

it depends on your application

It's a facebook clone for learning purposes 🙂

if your application or server doesn't mind a ton of small files, it's fine

Well I plan to put them in images/year/month/day/hour/hash.png like here https://stackoverflow.com/questions/2648664/image-upload-storage-strategies

So should be fine I guess.

sure, why not

use GMT times plz

UTC or bust

@thorn obsidian well technically a ton of small files could consume all inodes in the file system and cause a DoS attack no?

https://www.theregister.co.uk/2020/03/11/secret_sharing_app_whisper_shared_secrets_in_exposed_database/

oh hay, more breaches

that's a lot of meta fields

@proper sedge ?

hey

How would you create a SQL Injection defender?

using python

can't imagine what that would be

I am trying to figure out how these things called "snipe bots" work. Basis of the type of script is that it constantly checks the price of an item through an api then makes a post request to another api in order to purchase it. In the current marketplace I've seen it used, its gotten pretty competitive to the point where people are having 2 ms response time to the market's server.
What I am trying to figure out though is how come with most of the top players using the same vps to run their script meaning they roughly have the same response times are able to beat someone else using the same server.

I've been just running a loop that makes get requests to price check using requests's session and when the price is low, make a buy request.
I've timed the total request time to roughy .04 seconds to make the price check, a second get request to grab seller information, and the last post request to make the purchase. The time it takes for just getting seller info and making the purchase is .02 seconds

Is there something out there that is faster than requests's session? Would running multiple threads along side each other help at all? Is python limiting the speed? The vps I have has the possibility to setup multiple ips, with this could I force requests made to originate from those ips instead of all on the main ip?

I've tried C++ using curl to the best of my ability and its within margin of error in terms of speed but can run more threads. More threads however seem to make the requests overall slow down / "stutter" in speed.

this sounds like it's against the marketplace's terms of service

yeah, that does sound a wee bit dodgy

Can Bs4 & aiohttp download and run a trojan?

Mostly asking as windows defender popped up saying it detected a trojan after scraping a site, aand deleted my script

if bs4 is saving anything to filesystem, yes

it can save malicious shit, yeah, but it shouldn't execute anything

but regardless, any files saved to disk are scanned by defender, which even picks up on shit like cryptominer js scripts, i think

Defender is great

I don't believe it stores anything

it's all just in memory

What was the warning?

I forget

lemme find teh google search i had of the trojan

Trojan:Script/Oneeva.A!ml is what it found

Anything other than that?

Location, etc

I forget, i can see if there are any logs

I just know my .py file was gone when i hit remove

Yeah, it's targeting the script

Huh, interesting

There's not much to go by

And given it deleted the file.. Can't really show the code

I forgot to commit it :(

actually, found a recover option

Did my research first, couldn't find anything disallowing scraping of the site 🤷‍♂️
https://paste.pythondiscord.com/agudajivav.py

Is the file it quarantined

Nothing out of the ordinary it looks like

Yeah, i can't quite seem to figure out anytihng either

Do you recon its safe to just ignore then??

I'd break it down into smaller chunks and try and get the smallest bit that still triggers it

See which part does it

I've been using it steadily for 4-5 days now

Haven't had any triggeers before then

Huh, weird

Huh it found the "trojan" again 🤔

Ok what...

I saw it deleted the file again, so i backed it up into a seperate file named backup.py, and windows defender instantly snatched it. This file isn't running anywhere

Weird

Yeah, I'd break it down into smaller parts and find out what's going on

It started happening after the unsubscribe part i believe 🤔

I scanned a file with URL = "https://www.worldometers.info/coronavirus/#countries", and one without and windows tripped up on the one with the URL

It's a weird mix of the url being present, and the structure of the code

Any other url wont trigger it

Huh. That's weird

how can I write a test case for this one? I have already a interoverflow with the proof of concept , but I would like to know how can I write a oob r , and oob w for win32 bug c++

Out-of-bounds Read

Integer Overflow or Wraparound

Out-of-bounds Write

https://blog.doyensec.com/2020/03/16/vscode_codeexec.html

VSCode code execution via the bundled Python extension.

Seriously just a pop up would work

"Would you like to load this venv"

when i try to install kali linux on virtualbox, my anti virus keeps coming up with detected malware. is kali infected or is my antivirus just being very cautious?

I’m trying to do penetration testing

anyone here

how can i use the foramt string specifier to read the contents of a specific memory address

i tried to brute force using this thus far but to no avail

python2 -c 'print "xxxx" + "%1$p"' | ./medium

nvm i got it

@tranquil basin i suggest protostar

for learning reversing

i did this python2 -c 'print "\x60\xa0\x04\x08 %14$s"' | ./medium

i had a eureaka moment lol

im so happy rn

what is protostar

dw

@tranquil basin

https://exploit-exercises.lains.space/protostar/

protostar is light weight linux based distro to run in VM

it has about 20 exercises

for buffer overflow

the system doesnt have security measures in place nor any other stuff installed

on purpose

for practicing privilege escalation

tyy

who can help me with pyarmor?

!ask

i want to encode a python file, but if i do that there comes a whole map named 'lib' along but if delete that map the file exe file doesn't run

can anyone help me with that

@languid quartz Windows and any antivirus it contains often pins down pentesting tools as unwanted.
I would recomend checking your downloaded files hash if you are unsure - if it matches then fine. If not then you may have a interfered with file
Also is the AntiVirus annoyed at the Virtualbox system or the .iso ext of kali linux itself

figured it out @strange locust they were just being extra cautious

OK

thats rather normal

If you want to keep learning pentesting then I would recomend installing both nMap and Wireshark in windows. Observing your home network is very interesting

I wanted to nmap my home machine from the outside, so I ran nmap on my ec2 instance. I soon got a stern letter from AWS telling me how I could reactivate my account 😐

have nmapped plenty from my digitalocean instance with no issues whatsoever

AWS have a strict policy on using network security tools

i think usually if you're getting smacked by them it's because you're running it too aggressively

https://www.theregister.co.uk/2020/03/18/smb_loan_app_leaks/

... the app stored documents like bank statements, photocopies of driver's licenses, credit checks, and even tax and social security information – all in an unsecured AWS S3 storage bucket. Though the app was defunct, that bucket remained online and configured for public access.

https://youtu.be/AthT8kw7CIo?t=45

is it me or are big breaches up this past month?

oh and hey someone finally did a proper audit of that US electronic voting app

https://blog.trailofbits.com/2020/03/13/our-full-report-on-the-voatz-mobile-voting-platform/

even the blurb of failures is worrying

seventy-nine (79) findings: forty-eight (48) technical and thirty-one (31) in the threat model.

Sensitive API credentials are stored in the git repositories (TOB-VOATZ-001).

hah

https://github.com/trailofbits/publications/blob/master/reviews/voatz-securityreview.pdf
and
https://github.com/trailofbits/publications/blob/master/reviews/voatz-threatmodel.pdf

Ouch

yikes

yeah doesn't look great

they were critical of a report by MIT and said "well they didn't have backend access"

and then this comes out when the testers do have access

could anyone clarify reasons for me why kali isnt a good choice for a daily driver except for root being a default user in previous versions

i tried other distros, but as far as routines for daily usage are concerned, i only need linux file system and gnome

i prefer debian based distros overall

i tried ubuntu myself, but still choose to use kali as daily driver with very limited usage of root privileges

Are reasons on the web not strong enough?

things are changing fast so old articles or messages on forums are of no use

i suppose i could pay official kali forum a visit

but i'd rather someone explained here

or at least engaged in a convo

https://www.kali.org/docs//introduction/should-i-use-kali-linux/

You always can, but that's like saying nothing can be hacked

i see that the second section is questionable security wise

what i just dont like is the idea of too many distros, and from what i've heard, many experienced linux people say what distro you are running doesnt matter much

my mindset is that all the functionality i need, everything im doing for work and daily stuff can both be achieved on kali, ubuntu or even non debian based distros, if it wasnt the case i would've switched already

"Kali is made exclusively for pentesting, with a modified and insecure kernel specifically for running certain pentesting apps better."
but is this really enough of a reason to just stop everything and forcefuly switch to another distro 😔
i dont want to be stubborn though, it's just that from some people i hear "dont use kali as daily driver", and from the others "it doesnt matter what distro you are using"
im just a confused fella

how secure would you say this is?https://paste.pythondiscord.com/cukatoyalo.py
This is for personal use btw

did you write this to make a point

or are you genuinely asking

Kind of both...
I am making it as a self project and want to know

i do not see any features which would imply any sort of security

well it's good practise not to echo passwords back (let alone print them!)
use getpass.getpass
for your Y/n you can use .lower and check once
can also condense the logic to one line like username = input("Confirm action (Y/n): ").lower()
you should break your code down in to functions that do specific actions
i would recommend having functions for create_account and log_in
you are storing passwords in memory which is fine, but not very useful if you restart the program. youll need to use a text file or database to store usernames and password hashes. do some research on password hashing if you're interested about how that works

no hashing (credentials stored in plaintext), no lockouts, passwords are echoed back etc

re: why you shouldn't use kali

it's literally just debian with most popular pentest-related tools preinstalled and some patches which aid with that

shit will break down the line, and you will have no idea why or how to fix it

I use my functions the way I have it because it is a part of a computer system I am making

there's really 0 reason to use it

I will work on updating it but wanted some feedback

@cold fossil Is this for some kind of password database?

No just something I started working on I’m my free time.
I still need to hash or something and add some brute forcing protection but I am not giving it to anyone but me

What are you hashing if not passwords?

Nothing but I am mostly using this for a learning experience

Ah, gotcha

Re: Kali

I think the tools available in Kali are indeed popular but not the right ones necessarily

New infosec tools emerge all the time

Probably as a consequence of the bug bounty boom

For instance, many tools such as Hydra can be replaced with ffuf

Kali will only box you into what's popular

It's too bloated anyway

as a counterpoint, there's nothing wrong with not using "new" tools if the old ones work fine

not as a defense for kali, just as a general thought

thanks

for answers

question regarding web sec

GET /file.js HTTP/1.1
...
Connection: close

Result: 200 OK with js content generated by node.js

GET /file.js HTTP/1.1
header manipulation
Connection: close

Result: 404 despite same endpoint, html generated by nginx itself

back end is running node.js which generates its own html for 404, which is not the one im getting here

you're not fucking with Host, are you?

no i am not

can you post the full headers for both requests? can omit sensitive stuff

i am messing with x-name-correlation-id, where name is a literal name of the brand that owns the domain, so its definately something thats being processed on the back end code

ah

GET /file.js HTTP/1.1
x-name-correlation-id: milk
x-name-correlation-id: cow
Connection: close

produces x-name-correlation-id: milk, cow in response headers

since its just 2 header duplications it still returns 200 and js

content

but when i make it an X amount it throws 404

but its attached to this exact header name

if i provide same number of duplicated headers with just different name but same value

its 400

from front-end

🤷‍♂️

how could it possibly throw 404 when yes i am messing with headers, but still request a valid resource

🤔

and how is it nginx thats throwing 404 not node.js

without knowing too much about the system in question, i'm something in between gets confused and shelves the request, and it gets lost in transit

just technically

nginx is offered a 404 from whatever load balancer, and generates its own 404 for the client

domain is using AWS front-end

but it doesnt have much to do with anything

i just dont get why would throwing /404 from nginx when i am requesting a valid resource

would be a default behavior

when i manipulate that very parameter name, and none other

you're sure that's default and not configured that way?

i couldnt know, i am the one assessing, basically a black box

can you reliably produce a 500 internal error otherwise?

@thorn obsidian what if i could

what would that grant me

nothing, i was just curious whether 500 responses are being rewritten as 404

i've seen that configuration in place quite a few times

:headdesk:

Hi, I'm using a digital ocean mysql droplet that comes with phpmyadmin, and it's currently configured to where the login can be accessed by anyone (you need credentials, of course). Should I make it so that you can only access the login page with my IP address or is it fine to leave it the way it is?

i prefer to keep it only with username and password

ips are a tricky thing

but keep the password as long as possible

if you're going to be the only person accessing phpmyadmin, you're on a static IP and you have other means to access the server

sure, why not

you could even put up an nginx / apache based login screen in front of phpmyadmin

Passwords + TOTP ( something like https://pyotp.readthedocs.io/en/latest/#module-pyotp ) + https://api.pwnedpasswords.com/ + Fail2Ban is a good idea 👍

i usually just only let things like that listen on the wireguard interface

that means that if i do need access to it (from any IP), i just click a button and it beams me up and i can access whatever

while not having it running on public-facing interfaces

https://tenor.com/view/wheat-buck-spaceship-beam-up-gif-15625826

didn't see where that one was going before i posted it.

was just going for a general up beaming

"light-years later"

fella

light-year is a measure of distance, not time

light-year, `how long it takes for light to travel in a year

it's time

actually.. it can be used in both ways

scientifically, it's used in distance

Like oh planet x is y light years away from planet z

you could say "and many miles later"

light-year, `how long it takes for light to travel in a year
@bronze grail that makes no sense

it takes light a year to travel a year

relative to us anyways

it's also not really a constant for measuring distance either because gravity fucks with it

Light-years later

Also, Physics sucks anyway

Is the approach of using a settings.py module for application configuration insecure? I don't mean cases where secrets have been added to settings.py (e.g. instead of into env vars), but rather whether the approach itself is somehow inherently insecure?

@frank cloak That's a perfectly acceptable way to do things especially if they are internal developer settings. If they are things you want users to edit, you might look at INF files or JSON or something they're familiar with that which will depend on your audience. I'll also mention that Python 3 does have a Config parser library, but that doesn't mean its the "right" or "only" way you should do this.

https://docs.python.org/3/library/configparser.html

With the big caveat about you saying these are not secrets... 😉

@elfin tree Thanks for the response, much appreciated. On the note about secrets, I'm not adding them literally into settings.py, but I am assigning them in the following manner: SECRET_KEY = os.environ['secretKey']. Assuming that that is ok. What about the mutability of the settings.py module attrs? Of course, them being mutable can be problematic in the sense that a developer might break something unintentionally, but is it a problem from a security perspective? I'm assuming if an attacker can somehow access the Python internals there are already bigger problems than them being able to mutate settings? Is that line of thinking correct?

@frank cloak yep, you're totally right

@thorn obsidian Thanks, appreciate the feedback.

@carmine merlin ask away

alright

when the white hats do what they do

how do they find the breaches

do they use the language of the source they're trying to find breaches for?

how does it work

Depends what you mean by breaches

well

bugs in the code that can be used in order to access the data you are not supposed to get, and change things

If someone's trying to find security flaws in a website or something, the first step is normally recon to find out what processes are running, etc

Yeah if someone has access to the code that makes it a lot easier to try and find things

so

white hats usually have access to the code?

I'd say no

I could be wrong but I'd doubt it, because most of the time it's closed source

I'm trying to understand

If they can find a way to get the code and then use that, sure

what is the programming next to the hacking

the programmer is the one who writes a code

a hacker is a person who exploits vulnerabilities in that code?

Programming is just a tool to do things

or in a network which brings us to a new dimension

alright

so all of the network stuff and hacking stuff are based on it

but programming languages

Well it really depends

how can a person know what he should use

The hacker?

if a person says "I want to get access to the data of a company"

how can he know what language he needs

Any language would work

what are the differences of the languages except for the syntax. Why aren't all of them the same?

I mean

some are faster and some have more libraries

Generally speaking there's not really any specific things that you'd need that can't be done in other languages

some have better GUI stuff and some don't

the internet usually compares between languages as of what they are capable of doing

It's just a matter of preference and stuff

when people compare anything to python the first thing they say "easy"

Yeah, and that's because python is very high level and simple to pick up

uhm

there's a big question I'm trying to ask but I don't know how

it's a complicated question

Alright

it's like

this world of hackers, programmers, network

it all starts from the basic of the mechanical stuff?

I mean

does a hacker need to know how each computer part works? I mean, you don't need to know how a nuclear reactor works in order to make a toast

you just put it in the toaster

Definitely for most things someone will need to know how computers operate on a low level

when you say low level

you mean the same thing they mean when they say "high/low-level programming language?"

Yeah basically

In C, you have to deal with where things are stored in memory

Which makes it 'low level' because you are much 'closer' to the actual hardware in a way

In python it does it for you behind the scenes

It's much more abstracted

so it's a high-level

Yeah

now I get it

but I still don't get

how a person gets to a place where he is a white-hat, gray-hat you pick the color

where does that person start in order to become what he is, or even greater

People can get into it from all different areas

It's very broad

it's a complicated question

I'm trying to ask questions in order to get into my big question and build-up an answer

I already got an answer for a part of it from you explaining to me what the high-low means

what I basically try is to pick a programming language

to learn

forget the easy syntax of python that every beginner should know

I already know the basic syntax of many languages

within the years I decided that what I want to learn is related to the internet

the networks

so I tried to find out which language is the best for it

A language that you know well is the best language to use

but

more languages are easily accessible to more things

so let me see if I got it right

when a "hat" tries to get access into something, how does he pick the language?

if that guy knows all the languages very well

I think generally there's not all that much python can't do another language can, so it's always a safe bet

another thing

many sources say that python is great for robots and stuff

I think I kind of got it

I remember the olympic games virus

I learned a bit about it years ago

it is usually known as "stuxnet"

yea

so

as I know

they tried to affect the matter world by controlling their data and stuff

to make the robotic system

do things

so

it was coded in C

and my guess is that it's because C is a low-level language which is probably the reason

it's like more related to the matter world, of knowing how memory system works and stuff. Did I get it right?

Yeah I'd assume so

alright

I think for now I'll go for python as it'll be easier for me to access information

👍

I have only one question left

the GUI's of python are terrible

for example in order to make a sorting algorithm I would have to use something like pygame

wouldn't I?

to make a sorting algorithm or to visualise one

is there a way to easily access the GUI and actually have fun coding with stuff related

rak I have another question now

are you there?

yeah

what's the question

GUI stuff?

no

more related to this channel

Alright

all of the things like metasploit

etc.

they were created in that language they are made of because of the creators that are probably better and more experienced with those languages?

or because they are the most compatible for their purpose

for example

Probably a bit of both

John the ripper was coded in C and asssembly

it's a password cracking tool

Yeah, that's probably for speed

I know lol

I know you know

I was about to continue the sentence but accidentally sent lol

I meant to continue with saying that since it's a password cracking tool it means that it's probably for speed

yeah

right

For something like that speed matters lots

For other things that you do once, not so much

and

the world of security

the public things

I've seen that people can very easily access cameras

one of the easiest things

people consider it simple

for example shodan

how does it work?

Most of the time things like that are just from badly configured stuff with open ports/default passwords

I see

now I think I got to a better decision

python or c/c++

also I've noticed that ruby is never talked about

people don't really mention ruby

why is that?

¯_(ツ)_/¯

alright

so what makes a person decide whether if to choose python or c/c++

I shall look over the fit

I will go for python vs C++

alright thanks

I'm going for python

I got an answer

thanks a lot

depends what you are doing to be honest. python can write things fast but is interpreted generally speaking which means it uses late binding. Where as C++ amongst many things is compiled which is early binding so generally speaking it is extremely faster than python. This is a vague overview but if there are specific points you are looming at let me know. For ruby don't bother in my opinion and do golang instead because that is extremely relevant now.

What python modules do you recommend for cryptography?

to encript and decript text

pycryptodome

but that question generally depends on what method of encryption you want to use

Hm pycryptodome is interesting so far and looks to be useful.

I wish I could figure it out completely though

What are ctfs

Capture the flags, online competitions

capture the flags, a game mode in multiplayer shooter games, like Doom 1993 and Quake

lol

im a doomer and thats how i roll

@thorn obsidian CTFs are competitions where you solve problems to earn points, with each problem having some amount of points based on it's difficulty. The problems involve finding some "flag" to solve them, in most cases a string you then enter into a box that checks if it's the correct flag. Problems can vary widely and touch almost all areas of security, from network traffic analysis, binary analysis, malware RE, mathematics and cryptography, and even language.

i started doing OTW again recently

hi, am i allowed to post a small security puzzle on here for people to solve ?

Probably

ok here it is

Hello. Here is a challenge. ```
fragment x: 77677677266
fragment e: 67662666346
fragment y: 54D223230FE
fragment b: 33F505F4AA8