#cybersecurity

Python or C I assume?

there was no payload

Hm?

i believe he managed to find some SQL injection on what was supposed to be a private login portal

managed to get a dump of logins and hashes, cracked one of the hashes.

sometimes you don't need code

¯_(ツ)_/¯

how does one crack a hash though, They're encrypted half way to high hell

people picking shit passwords

i think he used some rainbow tables or something

SQLi is like the mother of getting into a system I guess

idk, it's about a decade ago

it's the low hanging fruit

as well as activate macros?

May I ask

Macros are a sequenced pattern of button pressed or command, right?

people think of hacking or security as this exercise in leet skills

quite often there are easier ways in.

for instance if I had a macro on loop to spam q, it'd do so

am I correct?

ahhh, "activate macros" is a Microsoft Office problem

macro's in office programs can be loaded with malicious commands

o no

turning on macros when you get a document from an unknown source is dumb dumb dumb dumb

this is the sort of shit i tend to see working in IT

people following dumb phishing scams with fake login pages

or opening files they shouldn't

Are you a security professional?

that's where the most damage comes from

nah, just a systems / network administrator

Ah,

but i take a heavy interest in security

I was going to ask if you could help me out a little

it's a hobby.

hobby that ties into work.

so not bad.

:D

I Need to learn as much as I can about security but the internet doesn't actually show that much anymore

it's hard to say really where to start. quite often knowing how systems work is a huge help

So assembly ?

Or c?

noooo no no no

o h

like... how does windows verify passwords

how does a program use memory

the more you know about an operating system and how it functions

the more you know about its weaknesses and flaws

that's helpful for protecting systems as well as breaking into them

dont some people make like their own os from scratch?

I heard a talk from the CCC (german, chaos computer club) adressing that problem in corporation where you have the non-it secretaries.
A solution that worked pretty good for 1 corp was to put [Internal] or [External] in front of the email subject using a mail program

which worked very good

eh, no. people aren't really making OS's from scratch.

building an OS is huge work

i understand things like unix and ect,

well, i dont understand, but I'm sure it comes into play

yeah, knowing the ins and outs of an operating system is pretty important, imo, in security

one of the most common ways to escalate privileges on an exploited machine in a windows network is to know how windows authenticates users.

Would you mind giving me a little lesson in dms about security on windows + linux?

i'm not really versed enough to teach.

Fair enough

i got most of my security knowledge by following breaches, reading up on how they were found, watching DEFCON / CCC / Blackhat conference lectures

that sort of stuff.

i have never got deep into the guts of it, as i don't really want to work in sec.

it's just a hobby and a little help to being a good sys/net admin

Defcon?

yup, it's a security conference held every year

i think it's up to 28 now? 28 years of running

there's videos for conferences as early as DEFCON 10

it's where security professionals, white / grey, give talks about things they've discovered

or even just thoughts about current practices etc and how they can be improved

and sometimes just fucking about

How exactly do I turn a .py into a .exe?

py2exe, but really...

why?

Well, I like making some smaller stuff on python and I want to be able to distribute it among my friends

stuff like system checkers, ect

so Windows Defender will probably flip its shit at an unsigned executable like that

which is good, it's doing its job

and, in general, it's a bad idea to trust .exe's blindly.

even if i was your best friend i wouldn't run it as an exe <_<

fair

windows defender is pretty good in spotting malware tho
you shouldnt rely on it of course

it's gotten very good.

it used to be quite the joke

i don't even install anti-virus on my personal windows machines anymore.

nowadays you dont want to have an external antivirus anymore so you dont have a ring0 breach

that's a whole other level of fuckery indeed :D

sorry i just felt this chat needed a bit of comedy

🙂

although I find the shitstorm around valorant funny tho
if you have heard about it

the hecketh is a valorant

riot games new shooter

ok

uses a new anticheat called riot vanguard

which operates on ring 0

yeah, it runs on startup too

installs as a system service

like many other anticheat systems as well

yup yup

punkbuster notoriously did this

but now they all shitstorm although they have no idea what it means

i mean... it has to monitor the game's memory space

i think it kind of needs the access

yes, a breach is possible
BUT
there is I think 500k bug bounty for breaching riot vanguard

also it's probably easier to phish players of the game than fuck with the anti-cheat

christ, you'd have to already be on their system

at worst it's a priv esc

and although it is from riot which is a 100% corp of tencent which is from china, spying on you is also possible in ring 3

but there are so many vectors already

and riot basically needs the ring 0 access

to do good anticheat

VAC does a pretty good job, and i believe that's ring 2.

hmm

nope, ring 3

I'm about to hop off for a bit

expecting windows to give you the right informations if a cheats is willingly corrupting their os to give wrong information is kinda shitty

ahhh, good thing to look up considering this chat axeleon

look up what the rings mean

Bisk and Timo, can I add you both? You two seem like two genuinely dope people.

and what privilege escalation is

eh, i just hang around in here. don't really do social off it. but if you have any security related questions you can always hit me up in here.

it's good to have it in the chat, then others can build off it

:)

aye

thank you

cya guys later.

there were cheaters in the past who used direct memory access to read information and write that information to an other machine

which then computed it and sent it back

no chance to catch that

it's always a cat and mouse game

https://eune.leagueoflegends.com/en-pl/news/dev/dev-null-anti-cheat-kernel-driver/

although i do think a kernel based A/C is a bit heavy

good thing i generally play games where cheaters have no major advantage

on LoL, riots first game I have never seen a scripter but there sometimes were in upper elo - like you saw them in highlights

plus the communities are old enough to self police and have the experience to eyeball a cheater.

and this was with ring3

so it can only get better

i think the most insane example of cheating was the Steam Workshop skins stuff in CS:GO

or people hiding their cheats in storage on their frickin mouse

wallhack is impossible in the first place because character models are not rendered when out of screen

most people aren't going to give a shit about this ring0 stuff.

if you don't like it, don't play it.

I am interested to see how it develops

the biggest threat of a ring 0 anti-cheat is going to be the developer fucking it up

and causing crashes

rofl

difference is that you can make money with these cheats in the biggest video game there currently is

I think if you really want to catch cheaters you have to get into ring 0 as you would otherwise act blindly

but yeah, you cant really fuck around in ring0 I guess

as i said before, VAC does a pretty decent job.

I mistake and haha system go bsod

worse, since it loads on boot, you reboot and it breaks again.

yay

"oh, I commited to prod"
hmm
thats not so good

i'm not so bothered by cheaters outside of league games tbh

but i'm from a different era

i used to have to do manual cheat reviews for CAL's CS:S division

actually watch demos and make judgement calls

I think you can cheat "intelligently" in csgo
like, have a beeping that gets louder the better you aim at sb

and then hide it with self control

that, right there, is the bit that people fuck up on

or have a mouse that does the aiming for you

but not perfectly

i mean aimbots have had "humanisation" for a while

you can still see it

cat and mouse game

i wouldn't trust myself to do it in a game that wasn't Quake or Counter-Strike though

anti-cheat can be fooled, but that's only half the game of successful cheating

question always is where you cheat
if you cheat in a regular matchmaking game you can do much more than if you are supervised

i'd go a step further, i'd say it's actually the easier part of cheating.

using a tool someone made that bypasses something

thats script kiddy-ing

most cheaters don't write their own cheats, obviously.

even high profile ones don't.

they're bespoke cheats purchased for a high price

btw - afaik esea also uses ring0 AC

far less likely to be caught up by VAC or something

yeah, i get ring 0 for leagues.

oooooh, fun story

a guy was report for cheating in CAL-M (step down from pro) and i was investigating him

all his play seemed legit

but he was a really good bunnyhopper

almost flawless

well, lets see how it develops
I think riot does a very good approach in valorant

dug through the demo file and pulled out when the jump commands were issued

single jump command issued exactly when the player hits the ground

huge red flag, no human does that.

bunnyhoppers in CS use the mouse wheel for the most part

I mean if you are not frameperfect bhopping (which is a bit hard on 128 frame) you only have 50% chance to perfect bhop

so you'd see like +20 jumps issued around landing time

on flat land his were all perfectly spaced.

a normal human who tries to frame perfect wouldnt be frame perfect like 5 times in a row

clearly a bunnyhop cheater, so it follows he was cheating elsewhere

but it took demo review to figure that out

and not even just watching it, actually ripping the file apart

since demos are basically just stored network information

if you consistently hit a perfect bhop multiple times in a row thats not really humanly possible

aye, i'm a big speedrunner / movement fan

i fucking love CS:S's bunnyhop.

demos sotre all inputs for every frame I guess

nah, they store network info

same, speedrunning fan

so less to do with inputs and more to do with what's transmitted

always nice to see a game ripped apart

I am watching tasmalleo often, he currently does the 7th iteration of paper mario the thousand year door

i've been doing Quake 1 runs during this quarantine

best single segment so far is 19 minutes

on easy though

using things like
reverse engineering the rng function or using calculus to optimize movement

i do like it when games break though. i think my favourite is the AI waypoints in the half-life 2 games

really good yt videos on that as well, all speedruns with commentary

just put an object on their head and they teleport forward.

"stuck... must... get to.... waypoint..... teleports"

do you know pannenkoek2012?

nah, i don't really follow the speedrun community that much. especially a lot of the console games and the like. fun to watch the games done quick marathons to see how shit breaks, but i mostly like my FPS speed runs.

pannenkoek is a tool-assisted-superrun mario64 player

known for his least a-presses videos

always insane to see games getting broken like that

oooooooooh

you ever heard of Q3Defrag?

actually, we're getting off topic here.

jump to #ot1-this-regex-is-impossible ?

at one part, running against a wall for 12 hours to build up enough momentum to teleport in a parallel universe to teleport up to save an a press

tbh, I think I need to get a bit productive again, my IDE doesnt want to do stuff
lets talk later in DMs @lusty flare

sure, if you like TAS stuff there's some hilarious quake defrag things.

Hye

hey guts

i am looking for a JOPE ransomware key

a friend got infected with it

Let me see what I can find

thanks

question

https://id-ransomware.malwarehunterteam.com/
https://www.avast.com/ransomware-decryption-tools
https://www.nomoreransom.org/crypto-sheriff.php?lang=en
are what I have bookmarked

does someone know

how to set virtual box

iternal network + nat

@soft delta Let me know if any of those help or assist in any way

like i wanna have a kali machine and windows 10 on the same network but still be able to use nat to get internet

yh i know how @thorn obsidian

I'm not seeing anything related to JOPE. Does it go by another name?

@thorn obsidian wdym

also btw thanks

Are they getting something that looks exactly like:
https://bestsecuritysearch.com/wp-content/uploads/2020/04/jope-ransom-note-image.jpg

is this the option?

and why it fails ?

@thorn obsidian yes

and the files end in .jope ?

yh i think so

all of them encrypted

u know but u dont help thanks

Is .JOPE the full extension or is there an ID number with random hexadecimal characters (.id-A04EBFC2, .id[4D21EF37-2214]) preceding it?

Did you find any ransom notes? If so, what is the actual name of the ransom note?

Can you provide (copy & paste) the ransom note contents here?

Did the cyber-criminals provide an email address to send payment to? If so, what is the email address?

Can you answer these?

Also, please use https://id-ransomware.malwarehunterteam.com/ and let me know what it returns

https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu looks to be something that may work

or, wait. That looks to not work for anything after August 2019

For newer STOP (Djvu) variants, the criminals switched to a new cryptographically strong key protected by RSA Salsa20 algorithm ((a GUID generated by CryptGenRandom) which cannot be brute-forced.

OTHER IMPORTANT INFORMATION:

• STOP (Djvu) Ransomware only encrypts the first 150 KB of files.

• All of the new STOP (Djvu) variants add 334 bytes to encrypted file size due to including the RSA-encrypted key, the ID and filemarker as explained here.

• Newer STOP (Djvu) Ransomware variants are known to cause dual (multiple) encryptions with more than one variant because he ransomware is loaded as a Scheduled Task and sets itself to run every 5 minutes.

• Newer STOP (Djvu) Ransomware variants are also installing Password Stealing Trojans.

So I'd reformat

Anything on the system your friend has not backed up, consider lost

( The above was taken from https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-puma-djvu-promo-drume-help-support-topic/ btw )

I will find out from my friend tomorrow and let you know

tysm for the help

How do I detect if an executable or file has been opened?

after the fact, or in real time?

@thorn obsidian

set it to bridged mode

that'll give your VM an address on your LAN range, rather than dealing with NAT

I would like to pen test our DMARC email signature. What should I look into to test if our DMARC is working? (please @ me)

http://mxtoolbox.com @potent bay

it can check if your dmarc record is up to scratch

unless i misunderstand what you're asking

mxtoolbox is a one stop shop for domain checks.

@lusty flare well, that works. What I wanted is to trigger it with a spoof email to see it in action and how it would look getting a report email

you could use smtplib in python and a relay to create a spoof

see how that works

Thanks, I will look into that

https://www.independent.co.uk/life-style/gadgets-and-tech/news/motherboard-rpg-roblox-hacker-data-stolen-richest-user-a9499366.html

@thorn obsidian didn't see this

interesting

That's what I thought. Roblox is huge, so it's not much of a surprise I suppose.

but, like

why

Why would they do it, you mean?

why would they pay money to bribe the admin of a children's game

¯_(ツ)_/¯

To "prove a point"

it's probably a child, then

Will be interesting to see how it plays out

Is this hacking or just social engineering?

neither

just bribing

But couldn't bribing be considered social engineering?

The bit about customer support confused me at first.

meh, I'd argue that social engineering implies that the "victim" doesn't know they're helping you

I agree

Yeah, touche

That makes sense

According to Techcrunch, its millions of users rage from between eight and 18, although its key demographic is between nine and 15 years old.

amazing how a typo made the paragraph more accurate

:D

that's a cheery start to my morning complete.

does anyone have any beginner hacking methods (not for bad things)
just wanna test security

if you have any old WiFi equpment you could try cracking WEP or something

you could also look into NTLM relaying if you've got some windows computers.

does anyone have any beginner hacking methods (not for bad things)
just wanna test security
@crisp kindle

I don't know man, but with that avatar and that question, I wouldn't want you near my network 🙅‍♂️ 🙅‍♂️ 🙅‍♂️

Please don't use the r-word in a derogatory manner @thorn obsidian

sorry but its facts

it's offensive towards people with actual mental retardations for you to use the term in a derogatory manner

nothing about "facts"

it's just insensitive

Hey, does anyone knows whats best way to hash password in flask and how to protect db from sql injection

@stark mason 1. I use argon2 2. escape everything that comes from the user and use pre-made SQL queries when possible

How to use argon2.2?

it's argon2, the 2. was responding to your second question :p

Mb*

I know to use it php (at least it hink so), but how in flask

just install the module in your virtualenv and then call its hash method during registration

And what are pre made sql queries?

Like db.session.commit()?

no, something like

SELECT user FROM users WHERE user_id=5

Ooh okay

Thanks :D

fundamentally, what you want is to process as little of direct user input as you can get away with

escape everything, if at all possible, and do not use user provided content in db queries

@stark mason @flat helm escaping is not a proper protection for sql injection

use prepared statements instead

that's what i said

Wait what are prepared statements?

Google is your friend here

Uuhh i cant go to pc with all files to test it :(((

guys,
I want to make a login for my code that user should get the verify from me and he/she get the account for specific time/term
how could I do this or what they call this in the security coding ?

@worn walrus Can you elaborate?

You want an account you've pre-made that only last a specific amount of time?

Something like that ,you can say they rent my code .. when the time ends it stop working in them till they talk to me and get the permission to use the code again also for amount of time

like a timed license?

yes

I checked on google got some info about the port 443 , if somebody know the answer is that what I was looking about ?

that's a standard https port... not sure how that's related at all

Best case for that would be a webapp. Anything on someone's system can be reverse engineered.

https://daringfireball.net/linked/2020/05/02/psychic-paper

Basically, it comes down to this:

• XML is terrible.
• iOS uses XML for Plists, and Plists are used everywhere in iOS (and MacOS).
• iOS's sandboxing system depends upon three different XML parsers, which interpret slightly invalid XML input in slightly different ways.

TIL why JSON doesn't have comments 😄

Thanks guys👍🏻

Avoiding MySQL injections with Python https://stackoverflow.com/questions/7929364/python-best-practice-and-securest-to-connect-to-mysql-and-execute-queries

guys, i have a doubt.

let's suppose my customer registers, then his password is encoded with hashlib256.
if a hacker get's my data, he can't decode my password using the very same hashlib?

that's the whole point of storing hashes instead of the actual password

if it's a crappy password, the hacker can try to guess it

that's why you "salt" hashes

yes, i get this, but when the customer logs in, it has to decode the password, right?

ohhh

i think i got this

no

(key turns inside my head)

why the customer logs in, it -hashes- their password, and compares it to what you've previously stored

that's not decoding

you have to provide the actual password, the one the hacker does no have

oh i got this

wow

even you, the dude who's storing the hashes, don't know the customer's password

true

but actually there is a way to store the real passcode of customers, right

binding it to a secondary database, with copy of the register form, without the hashing

I guess, but it's a terrible idea

when the bad guys steal that database, they now have all the customer's passwords

yes, what i'm trying to say is that you can't be sure if they are storing your password hashed or note

that's the whole point of hashing -- it lets you avoid storing the passwords

or storing both, and storing your data to access it

if they don't want to get a) hacked and b) sued, they're not storing your password.

if it's Amazon, Facebook, Micrsoft, etc, they're doing it right.

If it's Joe Bob, all bets are off.

haha

That's why you should never use the same password on more than one web site

got it

well, thank you @olive lark, finally understood the logic of hashing

you have to provide an pw to hash, compare and then log in

there's tons to read on the web about this; some of it is even well-written

we nerds just love our crypto 🙂

hahah 😄

you know flask-login?

i was having an issue yesterday, idk what was it actually, but i think i "duplicated" an function

nope, don't know it

I've never written this sort of code myself, and hope I never do

it's surprisingly difficult to do well

auth stuff?

yep

why you say so?

because everything I've read says that

oh

i mean, i'm 'new' to programming, i'm 8 months in python

see https://security.stackexchange.com/a/18198

been trying to create an app

i'm will read now

@slate osprey Encoding/decoding and encrypting/decrypting are two different things

oh i get this, was bad explanation of my part

sorry

Sec

alright

!e

import base64
print(base64.b64encode("Somebody once told me the world was gonna roll me".encode()))

@thorn obsidian :white_check_mark: Your eval job has completed with return code 0.

b'U29tZWJvZHkgb25jZSB0b2xkIG1lIHRoZSB3b3JsZCB3YXMgZ29ubmEgcm9sbCBtZQ=='

That's Base64. You can run b64decode() and decode that string trivially

Where as encrypting something, say, with AES or RSA, requires either a password ( symmetric encryption, like with AES ), or a key file, ( asymmetric encryption, like with RSA )

Then you have hashing which is a one-way function. Something like Argon2, or SHA512. The only way to know what was hashed and returned the specific string, is running the same scheme over whateevr string you believe it was, and check the result

you only get the result sending exactly the same string used to create it

right?

Yes

what is a good scheme?

sha256

No

you should play with them

Argon2

heh

NERD FIGHT

hahhaha 😛

https://passlib.readthedocs.io/en/stable/lib/passlib.hash.argon2.html

like I said: I don't write this sort of code

Argon2 is specifically designed for passwords

>>> from passlib.hash import argon2

>>> # generate new salt, hash password
>>> h = argon2.hash("password")
>>> h
'$argon2i$v=19$m=512,t=2,p=2$aI2R0hpDyLm3ltLa+1/rvQ$LqPKjd6n8yniKtAithoR7A'

what is this "salt"

https://en.wikipedia.org/wiki/Salt_(cryptography)

cant you use the first, fourth and five letter of the user input(register) as salt?

Considering Passlib handles that in a more secure way, no

oh, right

i'll read more about argon2

Passlib makes it trivial to setup, and it's very straight forward. You'll love it 😄

i mean, my apps are not meant to be used by millions, unafortunately i'm still learning how to create them, but learning cryptography sounds really good

i asked on web dev yesterday, but between werkzeug.security and bcrypt, which one is better, but Argon2 sounds better

A million+ people don't need to use your programs. But if you write your stuff in a secure way and go out of your way to safeguard information, that's one less program/website/etc that someone has to worry about leaking their info 👍

There have been too many instances of sites/programs doing things in a shoddy way. I recently stumbled upon a website which has no HTTPS at all. Which, was kind of shocking 😄

looks like you work with this, am i correct?

With Argon2/Passlib specifically? Yes

with security in general

I'm not part of Passlib or their project, mind you.

Yes, that as well

that's cool

i think it's an really nice branch of programming

but i don't think i would fit, seems very dark

"dark"?

the type of info, knowledge

and it can be used in a bad way too

It's more, in order to know how to defend yourself and your users, you need to know how the bad guys are breaking into systems.

Which, some people use that information and become bad guys themselves. That's never a good idea.

yes, that's the thing i meant to say, you have to do some bad shit

hahahah

but crypto is something that caughts my attention

Good, I'm glad!

If you have any questions about it and I'm around, I don't mind explaining/helping out where I can

@thorn obsidian
Did you finish cryptopals?

oh that would be nice, but i'm still very newbie at everything

@obtuse harness Cryptopals? Not sure what that is

i guess i need to learn more stuff before

Cryptopals.com

We all were newbs at something. Just stick to it and you'll get better.

this looks cool https://cryptopals.com/sets/1

@obtuse harness I was never a fan of CTFs or things like that. The way they're framed never interested me.

Those sets will make you cry bud, it took me 1 month to go through set 1

Okay

my goal right now is to create an entire base of a site, working. with (register, login, CRUD)

There are many people that like them, and I'm not going to say they're bad. Just not my cup of tea.

Flask?

using flask, that i'm getting good at

Good, if you need any help, lmk

https://blog.miguelgrinberg.com/post/the-flask-mega-tutorial-part-i-hello-world is a good starting point

made a little project these days, https://github.com/ngeorgj/fast-flask

got zero visibility

but i was happy to be able to do it

it creates the very basic structure, (django-like)

Happens, I been thinking a lot about what to create, created a form to ask people, most had one problem: switching between apps

Though something to be aware of, Miguel's /logout functionality on the above mega tutorial is a GET request, which is not best practice.

i'm still thinking how to enhance it, but i have to study for 2 weeks now

ANYTHING that changes "state", such as:

• Changing your username
• Changing your password
• Logging out
• Logging in
• etc
  should be POST requests

so it will be for the future haha

oh

get sticks the info in the url space right?

Which, all POST requests should also have CSRF tokens

post sends it via package?

POST requests are like form requests

Whereas GET requests are in the URL, yeah

saw something about it once

So, lemme laydown the attack and why you wouldn't do anything that changes state in a GET request:

So, let's say your service is https://somebody-once-told-me.example.com

https://blog.miguelgrinberg.com/post/the-flask-mega-tutorial-part-i-hello-world is a good starting point
@thorn obsidian oh, this tutorial looks awesome, very complete

You also have the ability to logout at https://somebody-once-told-me.example.com/logout

So, if that's a POST request, coupled with a CSRF token, it doesn't matter. I can send you a link to it and nothing will happen.

But if it's a GET request, if I send you a link to https://somebody-once-told-me.example.com/logout , guess what happens?

You get logged out

So imagine that was something more malicious than logging out. Let's say everything on your site was a GET request

Let's say changing your user's password was a get request

you put your new pw on the url

and it gets caught

https://somebody-once-told-me.example.com/dashboard?userid=31&password=IDONTKNOWTHISPASSWORD&repeat_password=IDONTKNOWTHISPASSWORD

Your user clicks that ( the userid might not be needed )

They've changed their password, and have no clue what they changed it to, but you do

Tada, I'm in the account

😄

I agree with most of what you say @thorn obsidian
But most sites with a whitehat program don't care about logout csrf or things like that.

what about this csrf token

what is it

@thorn obsidian What?

@slate osprey Anyway

dude i wish there are more programmers at my city, somebody to hangout, grab a beer and talk about this all night

CSRF tokens, or Cross Site Request Forgery tokens, are tokens you would put on every page with a POST request.

it's not popular here

So since your logout is now a POST request, anywhere it happens, CSRF token

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts.[2] There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests, for example, can all work without the user's interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user's account.

https://en.wikipedia.org/wiki/Cross-site_request_forgery

this is advanced

i get the logic, but i have no idea how this is made backend

Give me one sec and I can explain!

alright

So Flask-WTF - which implements WTForms, has this and can be setup rather easily.
https://flask-wtf.readthedocs.io/en/latest/csrf.html#csrf

https://flask.palletsprojects.com/en/1.1.x/patterns/wtforms/ is also the official Flask page about WTForms

Which has:

Getting the most out of WTForms with an Extension

The Flask-WTF extension expands on this pattern and adds a few little helpers that make working with forms and Flask more fun. You can get it from PyPI.

Just so you know I'm not recommending some random thing 😄

haha 😛

i've used flaskwtf once, but i tought it was little complx and i could do the same without it

but i think i should use it now on

Flask-WTF is great once and pretty easy once you start using it. But like I said, check out https://blog.miguelgrinberg.com/post/the-flask-mega-tutorial-part-i-hello-world if you'd like to start with Flask

i mean, i know how to use it(kinda), my biggest bottleneck is about databases

The mega tutorial touches on that as well

databases drives me insane

the relationships

and table creation

Flask-SQLAlchemy specifically is covered in the mega tutorial

tables are really shady on the web, i read that companies try to not expose schemas, this is some dark shit

sql alchemy i'm aware, i use it already

Neat

i mean, let's suppose i want to create an ecommerce

idk which tables i need to use

nor how to relate the tables

and i found 0 examples

the ones i found where really messed up

I think you'd be better off using the mega tutorial, and then any remaining questions just asking them afterwards

i'll sure do the tuto

probably start it now

Good. I'm going to go AFK for a bit

alright

👍 Glad I could help

hey

thanks for all of this

really helped

No problem, no problem at all!

you very good at it

congratulations

😄

i wish i knew something specific this well

and sorry my grammar, english is not my main language

can i add you? or keep just in chat?

dude i wish there are more programmers at my city, somebody to hangout, grab a beer and talk about this all night
@slate osprey that's why 80% of the programmers are in like five cities (in the US anyway)

this is really bad, the lack of people doing this

have the good point

high salaries

and the community is really bonded

i like a lot being part of this discord group, at least once per week i get to actually talk about an particular subject with people who work with it

and it's really cool

i'm doing bachelors on foreign trade

imports / exports

my region is strong at it

but image a 50k liter box

and at least 100 thousand sharks

that's competition here

the city has like 200k habitants and at least 100 freight forwarders

absolute competition, unhealty for newcomers

it's sort of the opposite in software land-- if you're good, you'll get snapped up

yes, that's nice

here it's bad dude

the last place i worked, my boss sent a guy to beat a customer up

ah

for changing supplier

different from my business indeed 🙂

yes, that's bad

i was finance manager in there

disagreed of lots of his practices

then i left

since then i've been learning python for changing to this

programming was my first option when i was younger, but ended up going to foreign trade

bad choice.

I don't think you need a specific computer science degree to learn this stuff

certainly not to learn it

a degree probably makes it easier to get a job

i think about it a lot

universities don't teach quality stuff, i tried 3 different computer science degrees hated all of them

@olive lark about the job, yeah right

but for now i am just gonna sharpen my skills

i'm still a little worried on getting a job with it

well there's not much risk in applying

but i think i don't want a job, i want to create a source of freelancing

idk how to work it out

i'll heave to learn a lot

I been poking around google for too long, they don't require a degree, it's written on their website but I am sure they require shit tons of skills

i'm still no confortable on doing any type of app

same here georg

i have no idea about getting a job

i'm from Brazil, all the good tech here

are concentred in 4 or 5 cities

São Paulo, Curitiba, Florianópolis, Chapecó and some other

Florianopolis is like 200km from my house, it's in my state

everywhere else is shitty in tech

brazil is a good market for smart startups

good for you mate, I am sure if you come with some sharp prototypes they might invest in it.

ideas don't much matter unless you create a prototype of whatever it is you want to build

i just need to learn how to make it

hahaaha

i had a little investment fund

i got some profit at it

but it was a little illegal, it's 2 years of documentation and bribes to open a fund here

yeah that's the point, from my perspective, first you need to create that prototype and then you might find people like you to work or invest on it.

i opened it undercover

closed it 7 months later

I hope you are kidding

14% return

for each investor

no i'm not

i used crypto for transferences

Just don't go near illegal stuff, and even if you do, don't talk about it publicly, it won't have good effects for your future career or portfolio

i mean

it was not that way

just didnt pay taxes on profits

after that i went on declaring it

but we have a 'ceiling' for taxes

it did'nt hit

so i had nothing to pay for. everything went alrigth

and just for explaining matters, when i started i didnt know it was illegal

i closed it for this reason

okay, that's good then

i was really upset when my friend told me that were strong laws against it

had to call my investors

long ago I had read US laws, although I don't live there, some of their laws are like "even if you didn't know it was a crime, you will get prison time"

i got the business idea while was drunk

so i just wrote it down and put it to work

no studies

hahahaha

hehe, just make sure you read the laws next time 🙂

oh, i knew the market pretty well, studied currencies for 3 years

it was currency based fund

anyway it can't be traced to me, even if i wanted

I think people coming from marketing or economics will do much better in tech, after all they understand people and the market.

my uncle is accountant, after i explained the whole thing to him

he told me "well, for what you've told me, you are a ghost"

hahaha

lets move to an off-topic channel @ #ot1-this-regex-is-impossible

after i knew about the problems that could rise

alright

which is better for security hashing passwords on the client or server side ?

this might be a dumb question idk

client

password should not go on the wire ever

hmmm

I bet plenty of web sites just send it anyway. If you're using SSL it's not a disaster

still if you can keep it on the client, you should

what i read is that i should transfer a salt then (server) create another salt (client)

then mix the 2 salts

you know I just answered that reflexively, without thinking. And I'm not a security guy.

So let me back that all up 🙂

I still kinda suspect it'd be better to keep the password from leaving the customer's machine. But that's as far as I can say.

hmm

i was also wondering

should i autherize the user from the client side ?

uh, no?

because then you'll have the client saying "oh yes, he's legit boss" and the server will be forced to trust that

ohhhhhhhh

alright thanks

@broken niche Hashing on the server side is better

Considering anything done on the client can be reverse engineered/changed by the user

@olive lark

password should not go on the wire ever
Do what? Setting up HSTS, all of the other security headers, and proper TLS 1.2 + TLS 1.3 makes that sound silly. How exactly are you going to authenticate to a server if you don't send it your password... ?

Perhaps you meant not to send your password over the wire when the connection isn't HTTPS?

Yep

Spoke too soon

I still kinda suspect it'd be better to keep the password from leaving the customer's machine. But that's as far as I can say.
@olive lark it's not. If you're storing hashes in the db, and the client only sends the hash to the server, it's equivalent to storing plaintext passwords in the database. Should the database get breached and someone gets a hold of the hashes, they can simply use those to immediately log in - no need to crack them beforehand, because the hash value is what the server expects from the get go

hope this makes sense

Of course, you can prevent this by, like, double hashing? But this introduces other problems and is just pretty pointless in general

so, @broken niche, implement TLS and send the password, not the hash

hashing should always happen on the server

@olive lark as a design principle, never ever trust the client

always validate server side anything that the client does

And yeah, what @thorn obsidian said

Client side hashing is equivalent to no hashing

I'd suggest using werkzeug.security for the hash function

It takes care of salting automatically

I personally use passlib's argon2, which also does salting automatically

And force https

Also works

guys pip isnt working what do i do

im trying to obsfugate with pyarmor and pip isnt working

On linux or windows ?

what does obsfugate mean?

obfuscate?

Also, is there an easy way to run a script through a VPN that you're currently connected to, to the remote machine?

How can I make my program hash the key and encrypt the data with AES-256, is it possible?

yup, totally possible

but hashing and encrypting are different things, what are you specifically trying to do?

A file encryptor

I'm new to this Python file encryption

And what hashing algorithm do you recommend? (SHA-256 or SHAKE-256)

https://pypi.org/project/pycrypto/

that seems like what you want to use

im using pycryptodome

sure, whichever works for you

thank you

hmm I have a problem, when I put the name of the file and give enter nothing happens and the file is not encrypted, it does not give any error or anything

I'd probably need to see code to help with that

what are you supposed to be encrypting here?

it doesn't look like you're encrypting anything unless I'm misreading this

What the program does is encrypt the file that you write in the input

what line exactly encrypts the file's contents?

that's what I'm not seeing here

def encrypt():
    file_out = open("[CIFRADO]" + data + ".cifrado", 'wb')
    file_out.write(cipher.iv)
    file_out.write(key)
    file_out.close()

That part of code encrypts the data with the IV and the key

wait

to me it looks like you're opening a file, writing some metadata (IV and key) about the cipher to that file, then closing it

yes

Although I really want it to convert the original file data into garbage / code

you'll need to read in the contents of the file contents = file_out.read()

encrypted = cipher.encrypt(contents)

thanks, it worked

@subtle forum

Is there an easy way to run a script through a VPN that you're currently connected to, to the remote machine?
Depends on the script. Can you give some more details?

@thorn obsidian Can you explain what you're doing here?

Although I really want it to convert the original file data into garbage / code

a file encryptor

It is a program that works is to encrypt the file that writes in the entry

(Im using google translator)

What are you trying to encrypt? Single files? The whole disk?

single files

and you're using.. AES?

yes

https://cryptography.io might help here

Does it work with pycryptodome?

I'm not 100% sure

https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/ has AES. I'd suggest reading the warning at the top

This is a “Hazardous Materials” module. You should ONLY use it if you’re 100% absolutely sure that you know what you’re doing because this module is full of land mines, dragons, and dinosaurs with laser guns.

im gonna try it

why change the library?

they look like they do the same job

@echo herald Looks like https://www.pycryptodome.org/en/latest/src/examples.html#encrypt-data-with-aes is AES-128

i have a solution for that

Whereas https://cryptography.io/en/latest/_modules/cryptography/hazmat/primitives/ciphers/algorithms/#AES has options for up to and including 256

from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes

key = get_random_bytes(32) # This causes AES of 256 its to be used
cipher = AES.new(key, AES.MODE_CFB)
ciphered_data = cipher.encrypt(data)

works fine

Does it though? What about the block size?

I don't know because I'm a little new

Okay, correction, maybe I'm wrong. I think the block size is always 128.

But mind you, this is why you don't roll your own.

If you're not 100% sure of these things, use a package that does it all for you.

To encrypt texts, you recommend using RSA or AES?

Because I have seen that they say they recommend AES and other places say that RSA is better for this

Depends on your usecase

E-mail for example works a lot better with asymmetric ( RSA, etc ) as opposed to symmetric ( AES ) encryption

For example: encrypt critical credit card information, passwords, etc.

Is this for a website or something?

It is like a personal file encryptor, to prevent people who save files with sensitive information from being attacked

So, VeraCrypt?

If it's text you're looking to encrypt, maybe KeePass?

something like that

https://arstechnica.com/information-technology/2020/01/us-government-funded-android-phones-come-preinstalled-with-unremovable-malware/

yeaaahhh...

and they were like

"CHINA PUTTING MALWARE IN UR 5G AND HUAWEI PHONE"

the lifeline program is to provide phone support to poor people

so of course they're going to track them

wouldn't want poor people using their phones for non-essential things

damn, wild speculation got the better of me.

i guess the government is just trying to get the poor people to generate more income for large corporations

:(

https://pyotp.readthedocs.io/en/latest/ Is great

If you have a question, check out https://cheatsheetseries.owasp.org/ first. There's a lot of stuff there.

is this code okay?

def encrypt():
    ct = encryptor.update(input) + padder + encryptor.finalize()
    print("Texto original: " + input)
    print("Texto cifrado: " + ct)

i will pass full code

import os
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.primitives import padding
from cryptography.hazmat.backends import default_backend

backend = default_backend()
data = input("Inserte el mensaje que quiera cifrar: ")
output_data = "MensajeCifrado.bin"
key = os.urandom(32)
iv = os.urandom(16)
padder = padding.PKCS7(256).padder()
cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=backend)
encryptor = cipher.encryptor()

def encrypt():
    ct = encryptor.update(input) + padder + encryptor.finalize()
    print("Texto original: " + input)
    print("Texto cifrado: " + ct)

Hey uguys

Im mainly into bot dev, competetive programing, and some webdev also

but i was thinking i wanna dabble into malware dev, since it thought it would be a big learning experience

Do u have any suggestions on where i should start?

@cerulean gorge Malware development isn't something we discuss here

oh, okay, sorry then 😄

Heey guys

Is getting (hacking) someones wifi pw to get access to it illegal?

ask a lawyer

lmao

yes it is

laws are complex and vary from place to place and time to time

Even just by getting pw, like to get access to it

And how they can know if someone has hacked their wifi

Is getting (hacking) someones wifi pw to get access to it illegal?
In the UK, it is unambiguously illegal

Computer misuse act. Accessing computer systems without permission

Ooh

Idk if its accessing computer but router tho, but i dont want to do anything illegal xD

Thats probably reason why its not published at app store

A router is a computer

Oh than it is illegal

Very probably

i have a problem

when i put pyinstaller ExtremeTextHash.py
It tells me that I don't have it installed when I really do.

@thorn obsidian What is ExtremeTextHash.py?

a text hasher

@thorn obsidian can i show the code?

If you could, yes

@subtle forum
Depends on the script. Can you give some more details?
@thorn obsidian Sure thing - I'm attempting to connect via VPN to a server and then proxy my connection over the port number. What add'l info could I provide that's helpful? I know that SSH is involved at some point...

sorry for the delayed response, had something unexpected pop up after writing

So is this a VPN you've set up on a remote server, or is this some product you've bought?

Because you should have access to whatever you've done the VPN to like a regular system if it's done right

Hey everyone I'm new at cibersecurity and I know python so I'm wondering if someone can say me some libraries used in pestesting and hacking with python.

@unreal yew @stoic obsidian Since either of these could be used to assist someone who wishes to be malicious, it's not something that'll be discussed here.

Regardless, we don't know the intentions of other people.

Considering there's 42,000+ people on the server, any of them could have the same issue you have and want to use it to break into someone else's passwords

just decrypt json file

for sciences man 🤣

i making candies

that it

finally ive founded myself

bye

[21:53] Charlie: Very probably

100% not probably and actually.

there are only a select few scenarios where hacking something, anything, is legal

having permission being a key one

and breaking into someone's WiFi, if they have a decent router, will leave a trace of your device having connected into it.

i've still got a log of every single person who has connected to my WiFi

MAC addy + hostname

which could be enough to figure out who did the naughty.

if they're not smrt smart.

Hi, i am new to python. is there anyone that can put me through letter encryption .

Hi is there anyone that can assist with a mass sender for sending ads and offers

@ivory valley that's very much not legal

!rule 5

hey there people how are you?
I wanted to start learning about the entire internet world to start knowing more and be able to do more, stuff that I want

as I keep reading about stuff I'm directed to more and more

and there's so much that I'm struggling to realize where to start learning

I actually found something

nvm

wdym learning about internet @carmine merlin

this world

I want to know it

it interests me

it always did

I can do programming

but I barely know about the computers, the internet, everything

CTFs might be a good start, you can try:
root-me.org

but I found some awesome sources so I'm fine now, but if you have some more for me that would be great

thanks

that's interesting

I like that one

thanks a lot

there is a lot of resources if you just look up "web/network/hacking CTFs"
I have played a few and can name them: picoCTF2018 & 2019 | root-me challenges | CTF institute | Hackthebox | overthewire.org

you are welcome

there is too many of them

hi someone know about mitmproxy?

i'm a python beginner and i have lot of difficulty to write a mitmproxy script in python

eny advis on css

?

css is pretty secure, not much security concerns there

ok thx

https://medium.com/bugbountywriteup/exfiltration-via-css-injection-4e999f63097d

im getting into a bit of legal hacking and wargames just want to be shur befor i dive in

i got another thing kali kinux

is dat safe

that article confuses me, how would that request make the attacker learn the CSRF token?

it also assumed that target.com would load the iframe of attacker.com, meaning that attacker.com has already found some way to XSS their way into the site? this seems a little contrived but maybe I'm reading it wrong

kali kinux is it safe

?

You are correct @echo herald , there needs to be JavaScript in use, and it needs to be exploited to imply a CSS injection, but that's just about chaining vulnerabilities with one another, not too much to look into.

But I think since both of them are involved, they need to be checked.

Hello, does anyone have any hex reading experience

Maybe not even hex? I really don’t know what it actually is. But it’s some sort of encoding of text to hide it’s real value.

@vivid fog
Check this out:
https://kunststube.net/encoding/
It's not just about Hex or Hexadecimal but it gives you the basic information you need about different encodings.

@thorn obsidian thats not what i mean but thx

thb im not relly shur but im entering the hacking seen and i relly wana be extra safe

pepole wer recommeding it but you no if ther labled blakhat on the discor server

no im not gonna do ilegal shit mostly want to work

a blakhat hacker is somone hoo is invoved in illigal hacking

ya

bad spelling is my worst rivle

lol

Hey I'm new to Python, and was wondering whether the library win10toast is safe or not

never heard of it

dunno what "safe" means either

download it, read the code.

I see, it's Python library that allows me to send notifications

Is there an alternative?

no idea

what are "notifications"?

Just something that notifies you, like on your mobile devices, you recieve notifications whenever someone texts you.

I imagine there are a ton of alternatives. For SMS, there's Twilio

Amazon's AWS can send emails and I imagine they have something for text too

for licensing a git repo, can you put a nickname or username as the <realname> spot?

Not really #cybersecurity related

Though, legally speaking ( I'm not a lawyer, so this is probably wrong ) I'd imagine you probably need your actual name

Because I'm not sure how much protection you'd have if your username was, say, TotallyLegitNotAScammer720360123456789

guys how can I beef up my security on my arch linux build, any tips?

I know this isn’t python but if anyone uses arch and is comfortable please do share do’s and dont’s :p

@woven heron Depends on your threat model

Basic threat model consists of the following:

• Who are you defending against?
• What are you defending?
• What happens if that gets out?

Also, is this a desktop? a laptop?

desktop and I guess the key frame should be basic

From the beginning, I'd recommend something like LUKS for full disk encryption ( FDE )

more around browsing n vanilla stuff for now

bet

I was thinking of doing filesystem encryption too but I also want to see if I can adjust a great firewall

https://wiki.centos.org/HowTos/Network/IPTables explains IPTables pretty well, and will give you a basic firewall

something up to date you feel

nice

You won't need the

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
if you don't want to SSH into the system

Even tells you it

iptables -A INPUT -p tcp --dport 22 -j ACCEPT Here we add a rule allowing SSH connections over tcp port 22. This is to prevent accidental lockouts when working on remote systems over an SSH connection. We will explain this rule in more detail later.

I heard that that port should be closed at all times if you aren’t using it

Unless you're purposefully wanting people to remotely connect for something, all inbound ports should be disabled except for what's enabled in the following:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT This is the rule that does most of the work, and again we are adding (-A) it to the INPUT chain. Here we're using the -m switch to load a module (state). The state module is able to examine the state of a packet and determine if it is NEW, ESTABLISHED or RELATED. NEW refers to incoming packets that are new incoming connections that weren't initiated by the host system. ESTABLISHED and RELATED refers to incoming packets that are part of an already established connection or related to and already established connection.

ty my guy ❤️

No problem, glad to help. I'd suggest forming a detailed threat model for yourself and going forward from there

will do

Where can i learn more about hacking and security?

Any good channel or site?

Would anyone know how to go about running a license plate to get information of the owner?

Or is it best to go plate -> VIN -> VIN look up

@vivid fog What's the usecase here?

Would anyone know how to go about running a license plate to get information of the owner?

anybody here familiar with pyarmor?
having a problem compiling my pyarmor obfuscated script with pyinstaller/py2app
ill mention im on mac, and yes when using pyinstaller on mac the exes work

@thorn obsidian I got tipped off by my parcel carrier that someone from my Vault (run by a 3rd party contracted) is picking up these client orders that are being returned to sender, in his personal van and heading home with them. So , I want to just see if the plate matches the guys name so I have a more solidified theory than just basing it off of hersay

bruh is this dude really trying to buy 0days on pydisc

I was just thinking that lmao

time to snatch 2.5m for an IOS vuln

@vivid fog

is picking up these client orders that are being returned to sender
Where are they picking them up at?

Because if they're picking them up anywhere on your property/properties, you can/should use cameras.

If they're picking them up at client houses/businesses/etc, that's an entirely different beast.

@gusty lotus We don't allow advertisement except for showing off personal projects, and we also don't allow discussion of offensive tools or legally grey activity

is it possible to steal some data using python?

yup

@thorn obsidian What's your actual question?

Does anyone know anything about a apk (weird one disguised as a system application) called ambigstone it automatically installs on my Android whenever I uninstall it

It just shows up as a small icon in my notification bar and does not has any special permission I am using Android 7.0 sec patch 2017. 5 I have seen some payloads but this does not look like 1 what could it be

It just randomly appears when my phone starts hanging

@south coral Sounds like your device is compromised. Do you have root? Is this a custom ROM?

What device is this as well?

It's Android 7.0

I have a QMobile which is a local brand of some country

Problem is that my OS already had some inbuilt ads like even my default file Manager had ads

I am using. A ancient relic but since I don't use mobile much so it's okay

And no it's not rooted it's a mobile that is old like 2017 old

Well, considering you're nearly you are 3 years behind in security patches, that's an issue. What's the exact model of the device?

I took care of the ads but this is bugging me

The last security patch for Android 7.0 was 2017. 5

There is no further patch nor is there any ctf or well exploit that I could find after that

.. Surely you're kidding?

Nope

Checked

https://source.android.com/security/bulletin/ has plenty after May 2017

https://source.android.com/security/bulletin/2017-06-01 for one

https://source.android.com/security/bulletin/2017-07-01 , https://source.android.com/security/bulletin/2017-08-01 , https://source.android.com/security/bulletin/2017-09-01

There's probably more, all of those affect 7.0

Oh, yeah, https://www.armis.com/blueborne/ was also a thing that year too.

September 2017 is the last officialy available patch on my device however given the condition of OS that could be possible

It is not a blueborne attack

Even I sometimes exploit my own machine

What's the exact model of the device?

However this problem arised before that

Çmp one

Or kernel

Ç_mp_26_1

Kernel 3.10.65

The best thing you can do is disable any kind of connection on that device

Data/Wireless/Bluetooth/Location/etc

Ç_mp_26_1 didn't get me anywhere. What's the codename for the device? What's the device called?

One more thing it's Icon was not the standard green APK Icon of my Android it was a blue one

It is called QMobile infinity c

Please don't judge

I don't care about what the device is, I'm more concerned about you having an infected/compromised device

Oh

This looks like a Pakistan-specific device?

Yes

Do you have anyone you can trust to look at this device for you?

A family member went there

Yes

I'd give them the device and have them take an image of the device

Considering it's definitely compromised

Like the photo of my mobile

?

I'd give them the device and have them take an image of the device

I mean more in a forensics type of way, see what the issue is and what's at fault here

Which, you're not on that device are you?

Oh well no one like that

I. Was thinking of using nmap scan

That's not going to do much

I have a Kali Linux machine ready is there anything I can do

Because everything else is closed due to quarantine

Just name any tool I'll search

Give me a bit to see what the best course of action here is

Is this your main device? Are you a journalist or someone otherwise with important information on the device?

There is not much important information I mean that would be foolish but it's important device to me

Because if the device is compromised, be under the impression that all contacts, images, data, texts, call records, browsing history, etc have been siphoned off the device. I personally would consider it completely compromised and would try to get a new device. Preferably something with the latest android security patch level.

I'm not sure how feasible that is for you, but I can recommend you don't use that device. No clue if there's malware that has root on the device, and I wasn't able to find a stock image for the device to flash back onto the device to take it back to a "clean" state.

I checked this device is not rooted

And I checked manually using a meterpreter session

But this problem was before that

I mean as in, you the user may not have root, but I have no idea if the malware has root privileges on it.

Is there any malware detection software for Android on Linux

Or is there any kind of scan I can do

That's not something I'm well versed in, so I can't give a good recommendation.

The best thing you can do is get a stock image of the device and flash it over using fastboot. Outside of that, you can do a factory reset and hope that fixes it. I wouldn't do anything sensitive on the device regardless, considering the patch level.

Well I guess I messed up

How so?

I got some personal data on device