#cybersecurity

unless you solve the discrete log problem

there is no way to do it

Lol

i will do it

x)

Or make a program who is able to

Because my computer is...

Not a NASA computer lol

do you know what the discrete log problem is

No x)

the problem you have to solve is one of mathematics

not of computation

I’ve only 16yo

Oh yeah

just fyi people have been trying to do this for the better part of 50 years

That is impossible to factories a integer

Its that ?

Wait

My English is bad

and even with super computers factorizing a 1024bit key can take upwards of a year

well yeah for rsa it reduces to factoring an integer

there's no known efficient non-quantum algorithm

the problem is, we can't effectively factor an integer.

and even with super computers factorizing a 1024bit key can take upwards of a year
@lusty flare more x)

combined with the fact the difficulty grows exponentially with key size, it'd be ground breaking to break it on some home computer.

right and that's why you won't be able to do it

eh, no. it's about a year with a large budget and a super computer

Yeah but I don’t use it in my method

it cost like ~$8k to factorize a ~700bit key

eh, no. it's about a year with a large budget and a super computer
@lusty flare not only one computer, more than 1000 and on 100 years minimum

i said super computer.

Yeah

they're basically a building.

Oof

unless you have made a breakthrough in quantum computing in your backyard

A mega giga computer so x)

wait no

you won't be able to do it

maybe one or two people in the world can even consider trying

and itll still take forever

In 2014, WraithX used a budget of $7,600 on Amazon EC2 and his/her own resources to factorize a 696-bit number.

right but this is way more than that...

yup

an extra ~300 bits makes a HUGE difference

we already know this

like there is no way that this person can find ct1

I will do it with $0 :]

well, good luck to you.

Or 0€ because I’m french lol

Thx i will need it x))

i often find that my maths is much better when i try to accomplish stuff with pure luck 👌

accidentally spending way too much money on an ec2 instance

too relatable

that's why i switched to infinite monkeys computing

yeah just start guessing primes

that chance you get it is the same as winning the lottery 100 times in a row

@uncut hill can you give me two 1024 bit prime numbers please ?

what?

I think that I’ve found a new method ._.

Give me two giant prime numbers

bruh if you need large prime numbers just find them online lol

Lol

I need you

:]

Pleassseeeee

Dude 🥺

you didn't find a new method

Yes i do

also it's almost 5 am for me and i have to sleep

Well, for me

Ow sorry guy ._.

Go sleep go sleep

Im sorry, in France it’s 1pm ._.

anyone familiar with pyarmor?

i cant get it to work on linux but it works fine on windows

Is it in your path?

What is a salted hash?

It is an hash that has a random part, so if you hash the same data twice, you won't get the same output

Sometimes the random part is fix, and it is used against rainbow attacks iirc

Aha, thanks

Can you explain how the random part works?

Well, you literally just append a part to the end of the hash, preferably a value you can find again later so you can still check the validity of the hash

Suppose this would be a good place to put this: How should I store a public Google API key in my repo?

Or, really, any API key (from a well known API, that is public). Supposedly, this key would be something that you would prefer to not be easily searchable through BigQuery, as I got a email from GitHub that they detected my key.

I thought about it and maybe just reversing it or running it through a simple encoding would be enough to ensure that it doesn't get automatically picked up - but how should I do this?

You probably shouldn't store API keys in repos, but if you really want to do this, why not just ignore the email?

GitHub won't take the repo down.

The email isn't actually from github

it's from a service that scrapes github

Yea, it's from a GitHub bot

Yeah, sorry, it's the bot thing

or at least that's usually the case

GitGuardian

Actually - I think I've gotten an email warning from GitHub themselves before, forget how

But, yeah, I'm currently just ignoring it and I probably won't run into any issues if I just let it sit.

If it's something you don't want found - store it as an envar, make the repo private, or load it from a parent dir.
If it's something you don't care about - just leave it be! You'll get one initial email and then you won't be bothered again.

Just a little scary being reminded how fast API keys can be picked up, and I know there are certain situations where I have to respond.

@thorn obsidian You think you've found a new way to crack RSA? Do you have a paper, or anything else, on this?

Idk

Because I found it by myself

🤨

I don’t search method

lol

My first method found by myself was to divide by each prime number, method who already exists

Are you just bruteforcing the RSA password?

No Lmaooo

X))))

Okay, you're not really giving any information here.

?

No because I don’t finish the method

I test

Why exactly do you think you've found something that can crack RSA?

But like you know it’s impossible to crack rsa keys

Because i use somes calcul to found the private key

But I don’t have finish it

Mind you, I'm not saying you haven't found anything. I'm just saying that from the outside looking in, it's hard to believe if there's no paper, write up, or general information on what you're doing at all.

and that surely another failure like the previous times

So this involves finding the private key from the public key, using some kind of calculation?

basically yes.

Well, if you get anywhere with it ping me with the results

well, it is not directly the private key, but one of the private numbers used to constitute the private key, but it comes to the same thing.

Well, if you get anywhere with it ping me with the results
@thorn obsidian I will surely fail again, it is no longer a game for me, not really active research in cybersecurity, the methods that I find by myself have probably already been tested

I'm not sure why the ping, but alright.

you have the awful discord quote feature to thank for that

There is zero chance

@uncut hill ?

There is zero chance that our man has an rsa 0day

That's fairly dismissive. You never know.

I mean it's by definition dismissive, sure

There have been instances in history where people have casually solved complicated math problems, so I wouldn't dismiss them right away.

Yeah but this is an open problem that people have been working on for decades

I doubt a sixteen year old who doesn't know what the discrete log problem is could solve it

Sure, which is why it's fairly low that it could happen, but it could still happen.

No need to dismiss someone who wants to learn/look into these kinds of things.

I mean looking into it is great

Then why be dismissive? 😄

lol

X))

I doubt a sixteen year old who doesn't know what the discrete log problem is could solve it
@uncut hill lol I think too x)

it’s 1am I need to sleep, byee

I think looking into how rsa works is great, but going in with the expectation of any remote possibility of finding an exploit is gonna make it frustrating and discouraging

No I don’t think so

I see it more as an impossible challenge to attempt

To expect finding an exploit, sure.

Yeah lol

It’s almost impossible

But it’s a game for me, it’s fun to try, even I know that is impossible

Lol that's all I was saying

@uncut hill can you help me to learn a thing ?

Idk how get the decimal public key from the Base64 public key

Infact I just don't know what this Base64 encoding is, why I don't have the private and public key directly in decimal? and how to get them

(@ping me i will read tomorrow)

hey, i just started to code scripts, my first project is to brute force a two digit password with this code, could this be optimized?

import time, pyautogui as pg
time.sleep(5)

guess = 0

for x in range(100):
    if guess >= 10:
        pg.write(str(guess))
        pg.press('enter')
    else:
        guess_under_10 = '0' + str(guess)
        pg.write(guess_under_10)
        pg.press('enter')
    guess +=1

Mmhh

@thorn obsidian base64 is just a way of encoding binary data in ascii

It typically is useful if you're starting with hex

import base64

base64.b64decode()

pw = int(input("enter a password: "))
For a in range(0,10):
  For b in range(0,10):
    If pw == str(a) + str(b):
      Print("found")
      Print(str(a) +str(b))```

@south geyser

Maybe ?

@uncut hill ok but, when I try to decode it, I not found my public key

What do you mean

Oh you want the modulus and exponent

https://stackoverflow.com/q/3116907/8426826

On the screen, the public key is the modulo ? Right ? well my public key should be 85, but when i decode the text in base 64 i can't find 85

The public key is both the modulus and the exponent

Oh you want the modulus and exponent
@uncut hill yes

I don’t have there

The stuff in the stackoverflow thing I sent is correct

I get this:

What

Don't use that

I turn the base 64 into hexadecimal and into decimal

Don't convert to decimal

Oh ? Why ?

@thorn obsidian yep it works, thx, but i had to put a str(pw) at the if statement so it could compare properly. also im not experienced with for-loops, took me a while to understand 🙂

Try atob() in Javascript

@south geyser look into itertools

Your welcome Tobben 😉

itertools.product(list or string, repeat=2)

I don’t have JavaScript :c

But

Yes you do lol

How do you generate the key

Here give me a second

I'm on my phone

That you gave me

Ok

#cybersecurity message

How do you get them ?

I generated them

How ?

I'll send you the code

In python ?

Or js ?

Python

Ok

n = 22266616657574989868109324252160663470925207690694094953312891282341426880506924648525181014287214350136557941201445475540830225059514652125310445352175047408966028497316806142156338927162621004774769949534239479839334209147097793526879762417526445739552772039876568156469224491682030314994880247983332964121759307658270083947005466578077153185206199759569902810832114058818478518470715726064960617482910172035743003538122402440142861494899725720505181663738931151677884218457824676140190841393217857683627886497104915390385283364971133316672332846071665082777884028170668140862010444247560019193505999704028222347577
e = 65537
c1 = [ciphertext 1]
c2 = [ciphertext 2]
ct1 = pow(c1,e,n)
ct2 = pow(c2,e,n)
print(f'n: {n}')
print(f'e: {e}')
print(f'ct1: {ct1}')
print(f'ct2: {ct2}')

i chose n and e

@thorn obsidian send me your pub key

Base 64 ?

yes

Ok

-----BEGIN PUBLIC KEY-----
MBowDQYJKoZIhvcNAQEBBQADCQAwBgIBVQIBBQ==
-----END PUBLIC KEY-----

So ?

sec

n is 55, exponent is 5

it's asn.1

Nop

n should be 85

no you did 5 and 11

not 5 and 17

5 and 17 gives a different key

?

Wait

also you shouldn't have to deal with this format

there's no reason to convert to base64

at least for your purposes

It give me base64

No fail screen

you dont have to "generate a public key"

you already have a public key

?

your public key is n=85, e=5

Yes

I know

there's no reason to get the asn.1 encoded thing

;-;

The website give me n in base 64 encoded !!

I don’t want too !

why are you using the website

Brkaksznsos’àw

you already have a public key

;-;

you literally inputted two primes and an exponent into the web app

and it encoded the public key in a different format

your public key is n=85, e=5

Mh

Wait, what website are you using to generate keys?

Why are you using a webste to generate keys?

https://merricx.github.io/enigmator/cipher/rsa_keygen.html

Idk lol

It’s true that I can generate it by myself

And I already do it

it's literally

multiplication

you just multiply the primes and you have your public key

I know XD

n=85, e=5 is your public key

il stupid x))))

Yeah yeah

Idk why I do that

Im really stupid ._.

Go die

ssh-keygen -t rsa -b 4096

x)

;—-;

bruh

Nooooo

@thorn obsidian Preferably don't tell someone Go die

:x

Oh

Fail !

what's wrong

(Im french wait )

yeah i feel like you didnt actually mean

"go die"

I wanted to say: go die in the sense of go give up because it's too hard.

Yeah yeah sorry xD

lol yeah I know you didnt mean that

It’s a french expression .-.

Sorry 😅

yeah dont worry, not your fault

i understood from context

what's the expression in french?

Yes it’s my fault

vas meurt?

I have a bad English ._.

vas meurt?
@echo herald no lol

(just curious)

It’s expression to yourself

Like « I’m stupid »

But it mean « I’m so bad, I want to die »

Basically ._.

<<je vais me tuer>> ?

Yes

ah ok

Its almost that

x)

in american english it's "ok, guess I'll go die"

Its like: « life sucks, I want to die 😭😭😭😭😭 »

T’es it’s that

ok sorry i have to go

Lol

Np

just read wikipedia if you want to generate the private key

Me too lol

I already made a python program that did it for me lol

Bye

and also brownie, can you tell me how you went from Base 64 encoding to decimal please? and the program that allows it in python if possible?

I didn't

Just find some asn.1 library lol

X)

Do you guys know any compiler for python files that doesn't automatically get detected by antivirus programs (aka. pyinstaller) that works with python 3.
something that makes executables from python files and doesn't get detected by antiviruses

If its detected like a virus, there is

Btw there exist Cx_Freeze

m = c^(— n-root(e)) (mod n)

;-;

Solved

Rsa method isn’t secure..

||joke lol, this code is fake||

@heady marlin we don't do that here

Do what?

Teach people to avoid AV

God

My app isn't malicious

Its basically a paint copy

U know paint?

Microsoft paint?

Doesn't have to be, but if I teach that to you, someone else can read it and use it maliciously

Can u tell me on dm then?

Not if you're just providing a compiler.

Because i am really hitting a roadblock here

And it is super frustrating how antivirus softwares are so shit

You don't have to be malicious to want to not immediately get flagged by AV.

My assumption is you're just running an unsigned exe, which windows doesn't care for

I haven't signed it yes

How much does it cost to sign it?

Like buy windows license and that stuff

https://docs.microsoft.com/en-us/windows/win32/seccrypto/signtool?redirectedfrom=MSDN

@primal ibex thank you! I will look into that tool

Doesn't have to be, but if I teach that to you, someone else can read it and use it maliciously
@brazen seal yes.. like me :]

😂😂

@heady marlin

Do you guys know any compiler for python files that doesn't automatically get detected by antivirus programs (aka. pyinstaller) that works with python 3.
something that makes executables from python files and doesn't get detected by antiviruses
Uh... Why would a Python file get detected in an antivirus program?

You also haven't provided the source code to whatever it is you're asking this about.

@heady marlin
Uh... Why would a Python file get detected in an antivirus program?
@thorn obsidian He means once the installer has made the exe and he tries running the exe, antivirus will delete it. Happened to me too, just make it an exception file. @heady marlin

Can't say I've ever had that issue, which is why I'm curious about their source code.

Ahh ok, happens to me with Norton 360. Idk why i have Norton but probably thanks to a lack of general care when downloading stuff.

Ouch. uBlock Origin + NoScript is a big help in that category

I will have a look but I hope im fine as it is now. I cant tell too much of a performance hit but I haven't tried it without Norton. At idle cpu is at about 4% so I'm happy

Well, I suppose if you're downloading things willy nilly, probably stop doing that. That's a pretty easy way to get infected.

😂I do take more care than the average user

@thorn obsidian it is getting flagged by anti-virus because PyInstaller bundles an interpreter with it, and well, you can inject code through it pretty easily

Nuitka is a good alternative, and it isn't getting flagged by anti-virus afaik @heady marlin

@void aspen Ah, that makes sense. I don't tend to play with PyInstaller much these days 😄 ¯_(ツ)_/¯

Hey there! My Dad is an IT Specialist (has 25+ years of experience), and my cousin said he can track and monitor my phone and what I have on it. I installed NordVPN as that is the safest thing to use, but is there anything I’m missing? Or anything that I can do to further make my data secure? And what exactly can he track, monitor, etc? He has the gateway info from the modem, so what do I have to do? And can he access apps like Instagram?

He’s likewise good at hacking, so what can I do to protect myself

Any tips, ethical hacks, etc?

Please ping me once you see this or DM me

Just don't do stupid shit and he will stop monitoring from boredom, problem solved

@thorn obsidian
NordVPN being the safest is a weird statement. It's not even close, and you've fallen into marketing.
Tracking/monitoring phones is pretty easy if you install something like Prey.
Considering there's no information other than "They said they could do this.", it doesn't give us much to go off of.

@spiral pivot Considering it's their device, I imagine they're free to do whatever they want on it.

Yes but it is not their router

also idt there's much they can do if their dad can mitm

You'd need to do that on the endpoint specifically.

@spiral pivot Routers? I'm talking about their phone

Having information from the modem doesn't do much here, considering they could easily do everything via HTTPS or encrypted like Signal. So, that's why you'd need to compromise the endpoint - the point.

Which considering we don't have much information here, we can only speculate.

lol ... anyone else remember the days before cell phones? those were good days

@brazen seal Not really on-topic for #cybersecurity. Did you mean to use one of the off-topic channels?

lol... it was re: "Dad MITMing my phone", but yeah, the off-topic-ness, i see it now 😄

👍

Re: phone vpns though, I've switched to my own self managed wireguard server. Works well and is easy to automate with py tools

ansible specifically

@thorn obsidian my phone does not have any software or app like Prey or SpyMyKid on my iPhone. Even if NordVPN isn’t the safest, is it enough to not track or monitor my phone / websites I visit?

A VPN is of no use if the device is compromised.

VPNs will only protect your traffic from being viewed by your ISP or anyone on your network. When using VPNs your only moving your traffic and data to another provider instead of your ISP.

You could just flash your phone/reset it, if your really concerned. It's unlikely that whoever you are protecting yourself from has a hardware or bootloader exploit so you'll be fine with a reset. Also double check app settings and accounts where you sync data to the cloud. Because if your data history and stuff is synced across your devices then someone else may have access to this account of yours and potentially access this data.

@thorn obsidian

hey guys im trying to learn javascript im a complete beginner if theres any tips or advice for me it would be really helpful

@untold oar This is a server for the python language, but I guess you can ask in #web-development for maybe a better answer to your question.

@thorn obsidian as long as you don't install a TLS certificate from your dad, you should be totally fine on everything that uses HSTS

there really isn't that much your dad can see

if you want to be totally safe, using a VPN will hide everything from your parents—given that DNS goes through it. there's basically no way that your phone has malware without you knowing, so you're probably fine

Yeah that’s exactly what I was thinking. Since it’s an iPhone, all traffic to accounts like Google are not traceable or can be monitored. I’m using a VPN atm, and also how do I know I have a TLS certificate installed? Does it have to be on my device or on my network? @uncut hill

If you didn't install it on your device you don't have it installed

It would be very explicit

The thing is I’m not sure if it is installed

Is it on my device or on my network?

And how can I check if it’s installed

@uncut hill

It's not

I actually dont know but

This is kinda unlikely

I guess check online for how

Okay thank you

Just curious is it safe to upload a dump file in public or is there personal info on it

@dull frost What do you mean by dump file?

Memory dump I suspect

@thorn obsidian i basically got a bsod and have a minidump log

@wispy laurel Was there a question there?

nope just sharing a thng I made

(sorry rule 5)

!rule 5

@thorn obsidian Glow

ah

we don't discuss stuff like that on this server.

ok sry

and since there's no "offline" version of CS:GO

Never played CS:GO, so was unsure.

um it works on online too ?

that's my point...

@lusty flare it works

cheating is bad. don't do it.

no im trying to learn read-write memory

and made a thing

about this topic

making game cheats is not a security topic

also it's not wise to use a Steam game as your platform to learn on

as Steam comes with VAC

@lusty flare breaking anti cheat ??

that's also not an acceptable topic for here.

Very rule 5

all of this is very rule 5.

ok sry again im leaving

cross your fingers that you don't get VAC'd

👌

Is it true Hashcat is always faster than John with the same password dic?

How can I safely get an api key for my private api and the same time limit it for anyone outside of my program to use the api

@fluid scarab What do you mean for your private api?

My desktop program has an api which is supposed to only be used by the program

So anyone else trying to send a post request will not work

So I need some authentication but not sure how

Well, how are you authenticating currently?

( Also, I'm going AFK for a bit so someone else may need to assist )

Program starts - sends a post request which returns some info and an api key which will be used for all future communications

Now what stops someone else from sending a post request

And get their own api key

I don't know much but if you are a client and server is sending the api key

You have to modify the server to know who you are, and thus only you will be given an api key

How will the server be able to differentiate between a post request from internally in the program or anyone else sending a request

Do you have the code for both client and server?

I want an explanation on how to accomplish this or a link to an article. I don't see how sending the code would help.

The server is just a normal flask api

And client sends a requests.post

you'd need a layer of authentication

so before your server sends data back to the client, it can verify it's a legitimate user

although it would be useful to know ultimately what your goal is so we can provide better advice

A chat app made in pyqt, the server is made using flasks. The post requests are done via the requests library. I'm making some login and the hash of the password and username (not hash) is stored in a postgres database. The url looks something like mydomain/registeruser. Obviously I dont want anyone to have direct access to that url cause they could easily launch a ddos or simply spam it. I will make ways to avoid spam but still that doesn't solve the problem.

There is also an uri for checkexists that I especially don't want in bad hands

you could use user authentication to generate user tokens to access a limited control api?

having a single token/key between all users would be messy.

Yes. But won't the first time generating the user authentication key also require authentication?

well you'd need something open to allow them to register an account, yes

registration spam is a problem that could be solved with rate limiting and the likes

So basically just add many layers to make it more difficult I guess

And yeah rate limiting is something ill add

i believe there are some flask based tools that would help with this a bit

flask-login springs to mind

Mhm

flask-security also

another option could be using OpenID rather than rolling your own

Hmm, I'll look into theese things

But is it better to generate an api key each time when the program launches or save it

( on client side)

Don't know if that's reccomended

Probably store the encryption key in the server then fetch it to decrypt

could be treated as a session token

user logs in, is authenticated, passed a session token which expires after x

Right

@thorn obsidian's hotter at this stuff than me, he'll probably read back up through the chat and offer some better advice when he's about

Thanks for the help, it's appreciated.

np

I'm making some login and the hash of the password and username (not hash) is stored in a postgres database.
@fluid scarab So what you want is cookie-based authentication, and not API keys?

Because an API by it's nature is designed to be used in an automated way

You can set ratelimits and the like, but you need to think of someone completely disassembling your client.

If I disassemble your client, it's not going to matter if I need just an API key, if you hardcode it into the program itself. Whereas if you've got logins, that's entirely different. Logins are tied to specific accounts and can be ratelimited and removed rather easily. API keys can be tied to specific accounts, but it doesn't seem like you want to use an API or API keys in this case.
( emphasis is my edit )

Also, if this is a chat application, have you instead looked at Signal?

Yeah I know about the signal protocol, but I rather implement my own, for both educational reasons and the fact that i'm willing to spend time to get this properly done. It doesnt really matter for me if its cookie based auth or if its based on api keys.

What I personally think of doing is to establish a web socket connection first, because I will need it anyways in the future (for the chat messages), then share a key which the server generates. Then do the same with the request session, so I know have two keys. A combination of theese keys will then be the final key which I will use for authentication. The server will automatically reject any connections which does not provide a valid key.

dont know if this still makes the server vulnerable

to any unwanted requests

Anyone with experience could probably create the same process and trick the server, no?

I just really wanted to know if there is a standard way to do this. How does enterprise desktop apps authenticate with their servers? It must be some kind of standard, just like with tls/ssl..

Wonder something, if you know what 0x41414141 refers to, react with

@fluid scarab I'd personally recommend Signal. Rolling your own crypto - Which it seems like you're not doing here, you're just depending on HTTPS, as far as I can see - is a bad idea.

Which, even if you have HSTS, doesn't defend someone against snooping on a corporate or other network where an additional certificate is stored and TLS MITM can occur.

Which is another reason I recommend Signal, as it doesn't have that issue.

@void aspen do you mean that thing i see in gdb, 0x0000000041414141 in ?? () when debugging python 🙂

Nah, I've heard that this number is known for an old paper about buffer overflow, and most security researchers know about it, so I wanted to test that

Lol yeah that is what i ment, i was simuntaniously implying that Python has a bof

And to add to that, 41414141 is more of a proof in modern days that you can control code flow

hi guys what are some basic python commands? no matter what i type on the command prompt nothing happens. please help thank you!

first type python on the command prompt. that will drop you into an environment Called the python interpretor. there you can type python commands. you can type print("Hello World!") as an example of a python command. After that, i suggest you get started with some beginner python series to get you up and running with python syntax. @untold oar

!resources Not really #cybersecurity related. Have you checked out our resources?

0x41414141 is a series of AAAA

If you can put that in a place where it's not supposed to be it's probably a security problem

@quick hollow thank you so much for the help!

@untold oar please ask your questions in #python-discussion else your messages will be deleted by the mods because they are not related to the topic of this channel

@thorn obsidian isnt this topic on python? i asked a python related question so how is in not related to the topic? like what the fuck i dont get this shit anymore i thought this would be a discussion page about python!

@quiet viper please help

@untold oar We have a general discussion channel, off-topic channels, topical channels and help channels. Please note that you need to stay on topic for said channel if you wish to stay here

See the description of the channel you're in to get an idea what it's supposed to be about

thank you Sir

Yepper pepper

okay so what did i do wrong?

isnt this a discussion on python?

i was looking for help and i asked a python related question

This channel is specifically for security related stuff.

oh gotcha

well i apologize

If you need help with a Python code or what have you, you'll want to open up a help channel

See #❓｜how-to-get-help for more details on that

i want to get to the security part of it but im still new

It's an interesting topic, most of it is way over my head

im sorry, im new at coding and python didnt realize alot of people here are more advanced

it's okay

Not a problem! The server is fairly complex as it is. Lots of channels, which can certainly be intimidating. I hope you enjoy being here

@opal cairn Not something we'll assist with

!rule 5

Specifically violates rule 5, which is breaking ToS in this case. Most sneaker bots are. It's also not the right channel as it has nothing to do with security.

Is this the place where we can talk about ..... “The incident” ?

Sure why not

Was there another one?

seems like it

it’s honestly kinda annoying that I get pinged what seems like every 5 seconds from this discord

would you reccomend sha256 or sha512 for password hashing?

i prefer 256

neither, use something designed for passwords like Argon2

In order from most to least preferred it would probably go Argon2 > PHC special mentions > PHC finalists >> scrypt ~ bcrypt > PBKDF2 >= SHA Crypt >>> Some iterated salted hash >>>>>>>>> Plain SHA, either one, whether you salt it or not.

The difference is the attacker being able to try a few trillion passwords a second or a few thousand.

which is better to use? pyjwt or TimedJSONWebSignatureSerializer from itsdangerous in a flask project

and Argon2 it's more complicated to use instead of bcrypt? an example please

@thorn obsidian

would you reccomend sha256 or sha512 for password hashing?
I wouldn't use either - Argon2 like the others have said - https://passlib.readthedocs.io/en/stable/lib/passlib.hash.argon2.html

@severe badge It's very easy, actually. The above URL will explain it

It doesn't get much easier than the example they give

>>> from passlib.hash import argon2

>>> # generate new salt, hash password
>>> h = argon2.hash("password")
>>> h
'$argon2i$v=19$m=512,t=2,p=2$aI2R0hpDyLm3ltLa+1/rvQ$LqPKjd6n8yniKtAithoR7A'

>>> # the same, but with an explicit number of rounds
>>> argon2.using(rounds=4).hash("password")
'$argon2i$v=19$m=512,t=4,p=2$eM+ZMyYkpDRGaI3xXmuNcQ$c5DeJg3eb5dskVt1mDdxfw'

>>> # verify password
>>> argon2.verify("password", h)
True
>>> argon2.verify("wrong", h)
False

Thanks, i saw many packages with argon2 in name and i was a little bit confused, that's why i asked for a example

Glad to help

@thorn obsidian thanks, that looks pretty neat

@thorn obsidian 😄

I made a user friendly audio steganography encoder and decoder in Google Colab

https://colab.research.google.com/drive/1IivCTimv8npSxfV2c8no9nhlBi78GVEf?usp=sharing

please give criticism

and ping me if u do

@everyone

https://thehackersbrain.pythonanywhere.com/blog/directory-bruteforcer-using-python3-introducing-dirhunter/

!warn 744982233831571567 "please review our rules regarding advertising and do not try to ping everyone "

:incoming_envelope: :ok_hand: applied warning to @terse plover.

I'm confused, this is a channel for Security: is that solely the white-hat perspective or can we discuss penetration techniques, privilege escalation, implementations of exploits, etc.?

white-hat perspective

we don't allow discussion of offensive techniques here

if you are interested in that there are other excellent servers for offsec

If you have any recommendations I would be interested. Just curious. It's an important topic to study given the inherent insecurity of our day-to-day tech

you can't defend without knowning how the attack is done 😉

yes you can.

How are you going to stop a cyber attack if you don’t know how or where it’s coming from @lusty flare

-_-

you don't need to know how an attack is being perpetrated to actually stop it

do i need to know how to conduct an amplified DDoS attack to know how to stop it at the premises firewall?

Give me a reason why you don’t have to know how the attack is happening to stop it

or that i should do proper rights segregation in an active directory environment to stop people pivoting from a low level compromise to a high one?

Your not answering my question lol

if i'm getting shit loads of traffic coming into a firewall from dns servers i can guess that the firewall is being ddos'd and i should block that traffic

it's not rocket surgery

why would i need to know how to conduct that attack to stop it?

the majority of hacks or attacks that happen to corporate networks are the lowest hanging of fruit we should be preventing by proper management in the first place

Bruh

Why are u so defensive lol

And

You make no sense

uh huh....

You have to know how an attack is happening or you won’t know how to stop it

Smh

that doesn't mean you need to know how to do the attack

christ.

😂 no one said that

Sped

I said how to stop it

😭😭

Keep up

[12:58] Dalist: you can't defend without knowning how the attack is done 😉

you can 100% stop an attack without knowing how it's done.

Are u ok?

Ur so dumb

thanks.

😭😭😭

Your very welcome

so i take it you work in networking / security?

No, it’s called common sense

right... of course.

i'll just take my years of experience and throw it in the bin then

and use your common sense.

U should

Yes

waste of my time.

Lol ur so salty

Go cry to ur mom bud

you're being weirdly offensive and i'm not sure why.

not a good look.

How am I “weirdly offensive”

😂😂

Ppl like u are fun to talk to

Isn’t this a waste of your time?

i mean you've called me dumb, told me to go cry to my mother, it's at the very least impolite and worst fucking moronic.

Shouldn’t you be doing something

Aww

Looks who’s mad

😂

i'm cooking a cottage pie. the beef's simmering.

Good pub

Pun*

😭😭

Gone silent have u?

!tempmute 696530032889430026 7d Apparently you don't like respecting other users. When you joined this server, you agreed that you read our #rules. How about you take this time to reread them.

:incoming_envelope: :ok_hand: applied mute to @thorn obsidian until 2020-09-13 15:28 (6 days and 23 hours).

heh. i wonder if he knows what an intrusion detection system is.

you can stop an attack without knowing how the attack is done. 🙄

oh well, back to the pie.

Why do you always have such tasty food :/

because i cook it. recipe in ot2. ¬_¬

what the hell was that lmao

that was ridiculous

proceeds to throw a fit

seagull

why are u so defensive

lmao

hello everyone
im not an expert in web dev...i use django framework and im doing pretty good progress
so i started thinkin about some advanced things like blocking bad usernames in signup form
i wanted to create an api to do that in django
what i need is maybe simple explaining on how to do that

What do you mean by bad usernames?

Racist or other questionable names? XSS/SQLi attempts?

like racist and swear usernames

Outside of a regex filter, not sure. Not something I've ever really had an issue with in anything I've built.

oh

Curious of other's input though

i had an idea of like

creating a list of lot of bad usernames (basically database)
then if when u click the sign up button,it will check if the input is a badword listed in the badwords database and if so it will pop up an error

Well, if you wanted to block "BadUser", what's preventing someone from putting in "B4du53r"?

or something like b4d|_|$3r

It's why I'm curious of other's input

i think a lot of websites suffer from bypass usernames

Oh, no doubt. If anything it's probably a good indicator to not associate with those types

well

u can still uh

disable symboles

mb if not spelled right

disabling these !?.z|\ / and so

from username

You could, sure

If you blocked "BadUser", they could also put in "BaadUuser"

These are just concepts, and why it's complicated to police usernames.

online theres ton of nowadays bad and swear and racist usernames lists

u can use that

oor

use a google api

to do all the job

Google API? Not sure if Google has something like that

google vision api has a image nsfw content blocker sooo why not usernames

im sure theres an api related to blocking these types of usernames

I'm unaware of one

i mean there should be a way

i need to study these

Probably is, tbh

Does anyone here know cybersecurity?

Uhm cybersecurity is a very broad topic, wanna be more specific?

Mmm I don't know, I'm new to this, I think hacking

the best way to learn white hat is to look at tutorials plus do ctfs etc for practical experience

@thorn obsidian

I can send some good practice ctfs/wargames if you're interested

Yes please

And thanks for the explanation and help

overthewire bandit + natas are good for beginners

also picoctf

is simpleeval safe?

it looks safer than eval

Troy what do you need? ast literal eval might be better

simpleeval is module that utilises ast eval

what is the best way to do database encryption, I need to encrypt the data and I wonder what is the best approach, just specific fields, everything, etc. I know it must be done by professionals, but in this case it doesn't matter because it's just personal curiosity, one approach i saw was encrypt everything and hide the key but then search would be impossible?

Hey guys, if you use challenge based auth, you have to store clear password on your backend, right?

@void aspen

No, whats sent to the server is twice hashed

What should I be using for hashing passwords?
This Passlib ReadTheDocs page has a few you can use.

How do I hack this site?
Check #rules, because that's not something we're going to entertain here. #cybersecurity is a whitehat-only channel.

What do I use for encrypting something?
• For Full Disk Encryption ( FDE ), LUKS ( Linux only ), VeraCrypt, or Bitlocker.
• https://cryptography.io/ is incredibly helpful for non-FDE purposes.
• This PostgreSQL docs page on encryption options if it's related to a database and the contents within

https://thehackersbrain.pythonanywhere.com/blog/random-password-generator-using-python3/

How do I start Security for Python

Wdym

@thorn obsidian That greatly depends on what you're defining as security

true

@thorn obsidian ik that pfp hehe

Okay. Anyway, what do you mean by security? What are you wanting to learn?

@sudden nebula I've got an issue with your post

https://docs.python.org/3/library/random.html specifically states:

Warning

The pseudo-random generators of this module should not be used for security purposes. For security or cryptographic uses, see the secrets module.

https://docs.python.org/3/library/secrets.html

yeah

you can use os.urandom for this type of thing

I prefer secrets, tbh

Also all is a reserved word in Python

eh its technically not reserved

but shadowing builtins is a bad idea

See also
The secrets module provides higher level functions.
from https://docs.python.org/3.8/library/os.html#os.urandom

Ah yeah, builtins. Couldn't think of the word

yeah secrets might be better

is this related to cyber security? (i mean pen testing and ethical hacking)

Did anybody ever benchmarked os.urandom vs secrets?

I'd be curious about the result

@dry star this?

Best method to generate a secret key for an app?

@severe badge https://docs.python.org/3/library/secrets.html

specifically the "generating tokens" section

ok, thanks

and it's enough to generate it one time? or every time when i run my app?

What are you using the secret key for?

How to implement auto login. All accounts have an account-token and its stored in an encrypted form in server. is it safe to store it in client side then fetch the decryption key cause its over tls anyways

or should I store it somewhere in registery

along with username

think plain text file is good its clients fault if someone gets access to his acc

hol up

plaintext?

the token isjust used to verify to the server that the correct person is sending the requests

the only bad thing that could happen if ur token is leaked is that someone can see ur msgs

yeah so its basically a password

ur kinda screwed if someone has access to ur pc in first place

yes

what if your db gets leaked

then im screwed

yeah

that's why you don't store secrets in plaintext

hash it or something

its encrypted

uh

why can't you just hash it

all things on server r encrypted

if someone leaks the encryption key you're still screwed

tokens needs to be decrypted

yes

if key is leaked

then im screwed again

don't really know much about account tokens, but based on password best practices, that's a terrible idea

How to implement auto login. All accounts have an account-token and its stored in an encrypted form in server. is it safe to store it in client side then fetch the decryption key cause its over tls anyways
@fluid scarab use Diffie-Hellman

wait

are you trying to decrypt it on client side

wtf

@fluid scarab

@thorn obsidian how would diffie hellman help in this case

@fading plaza it's stored encrypted in client side. So yes, I need it to be decrypted.

But I think it would be okay to store it as an unecrypted form on client side.

no no no no no

if you're sending the decryption key to the client

then they don't even need to leak the key

just a database leak and you're screwed

Hey everyone, not sure if this is right channel for my question but I'm pretty sure u would let me know. Im trying to create bot that logins to site(NIKE.COM) using requests, tried to copy all workflow that happing from opening site to login to account, and I'm getting denied from server, im pretty should that i going something wrong with cookies but i have no idea what. If anyone know anything about this can could give me a hint, i will be so thankful!

@opal cairn I think it would be easiest to have some selenium code that logs into nike.com. Then once you verify that you're logged in with selenium, you can copy over the cookies/headers to your requests session to continue on with whatever workflow. session.cookies.update({x['name']: x['value'] for x in driver.get_cookies()})

Hey everyone, not sure if this is right channel for my question but I'm pretty sure u would let me know. Im trying to create bot that logins to site(NIKE.COM) using requests, tried to copy all workflow that happing from opening site to login to account, and I'm getting denied from server, im pretty should that i going something wrong with cookies but i have no idea what. If anyone know anything about this can could give me a hint, i will be so thankful!
@opal cairn make sure that you use custom headers. python requests uses headers that can identify the request as coming from an automated source and might block your request. Try comparing the browser request and python request in burp and try to make them as identical as possible.

also i'd read the nike.com ToS and make sure that automation is allowed

!rule 5

We actually have a tutorial about sneaker bots, you should check it out https://youtu.be/NNZscmNE9QI

so good.

one of the largest sources of 404 http responses on the work webserver is indiscriminately aimed sneaker bots. so dumb.

Nice. >.>

are there any library for python networking security?

i am making a multiplayer game

the best thing to do i think

https://thehackersbrain.pythonanywhere.com/blog/random-password-generator-using-python3/

@shell charm You'll have to be a bit more direct. What do you mean?

@sudden nebula You posted this before, have you changed anything about it?

@sudden nebula I see you're still using random. I sent you some messages in regards to using secrets instead. Did you see those?

@thorn obsidian nope

https://docs.python.org/3/library/random.html specifically states:

Warning

The pseudo-random generators of this module should not be used for security purposes. For security or cryptographic uses, see the secrets module.
https://docs.python.org/3/library/secrets.html

now i see those.

thanks

👍

@thorn obsidian i am making a multiplayer game, so i need to do networking. i just dont know how to do secure networking, i dont want anyone to send their own signals and hack the game!

Do i need external security while building web app with "Django and Angular"???

I still don't understand, why everyone cry so much over having someone else's public IP. It's one of the easiest things to get, and what can you do with it to someone? Dumb kids and teenagers keep crying over it in gaming all the time and I truly don't understand them. They threat people "UAG I HaVe yoUr Ip CrY MoRE" and like, what? They don't even know what an IP is... okay let's assume they give it to some people, but like, getting someone's PUBLIC IP is one of the easiest things there... so what can you tell me about it? What can people actually do with it? How serious is this and how dumb are they being?

having someone's ip isn't an issue. It becomes an issue when something is exposed on that IP (for example a router web panel), at which point a targeted attack could be conducted

okay that's good to know, thanks

at least some basic knowledge

Could ddos you, unlikely to actually have them attack your router manually if it's just like

Some angry kid

But ddosing is hardly uncommon

Ddosing is boring though

Okay. Anyway, what do you mean by security? What are you wanting to learn?
@thorn obsidian mainly just protecting myself

or hacking myself for fun

if that's possible

Could ddos you, unlikely to actually have them attack your router manually if it's just like
@woven gazelle you'd be DDoSing their service provider, not their home connection...

It's certainly an issue with online ganes

Particularly if you've port forwarded

Or NAT or whatever

@thorn obsidian https://cheatsheetseries.owasp.org/ Have you seen this? This is a pretty good starter to the concepts/ideas.

If I need to store something on client side where would be the best place to store it. It's not that sensitive information and it couldn't harm the software globally but modifying that file could bug the program and make it unavailable, which I don't want.

You say client side, is this a website?

Nop, desktop app

@thorn obsidian thanks

https://www.scribd.com/document/474476570/PQC-Overview-Aug-2020-NIST

Back in July, NIST selected third-round algorithms for its post-quantum cryptography standard.

Recently, Daniel Apon of NIST gave a talk detailing the selection criteria.
The scribd link is the talk.
https://www.nist.gov/news-events/news/2020/07/nists-post-quantum-cryptography-program-enters-selection-round from back in July

who has AttributeError: module 'nmap' has no attribute 'Portscanner' error? i uninstall nmap and instal python-nmap but didn't fix

s should be capitalized @gilded glacier

was doing some testing with some new modules for my discord bot with the example code

from google_images_search import GoogleImagesSearch
from io import BytesIO
from PIL import Image

gis = GoogleImagesSearch('google token', 'project_cx')
my_bytes_io = BytesIO()
gis.search({'q': 'puppies', 'num': 2})
for image in gis.results():
    my_bytes_io.seek(0)
    raw_image_data = image.get_raw_data()
    image.copy_to(my_bytes_io, raw_image_data)
    image.copy_to(my_bytes_io)
    my_bytes_io.seek(0)
    temp_img = Image.open(my_bytes_io)
    temp_img.show()

obviously with the token and cx replaced and it was using urllib3 and it was giving some https warnings, to urls that shouldnt have been getting requests, errors below trimmed for char limit:

Warning (from warnings module):
  File "C:\Users\Matth\AppData\Local\Programs\Python\Python38\lib\site-packages\urllib3\connectionpool.py", line 981
    warnings.warn(
InsecureRequestWarning: Unverified HTTPS request is being made to host 'd17fnq9dkz9hgj.cloudfront.net'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings

Warning (from warnings module):
  File "C:\Users\Matth\AppData\Local\Programs\Python\Python38\lib\site-packages\urllib3\connectionpool.py", line 981
    warnings.warn(
InsecureRequestWarning: Unverified HTTPS request is being made to host 'www.dogtime.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings

anyone got any experience with these modules or the reason theyre sending requests to strange urls

one of them could reasonably be image related but the other one is a dead site

@vagrant horizon Considering these probably aren't official packages, or using valid APIs, I wouldn't suggest using them to begin with.

Considering they're probably malware.

gonna go clean install python cause i had a feeling you were correct

guys is it okay if my web site uses token based authentication from django rest framework instead of JWT based? it feels to much work trying to implement it atm.

yeah

jwt is not the only auth token you can/should use

yeah
@fading plaza yeah to what?

jwt is not the only auth token you can/should use
@fading plaza I'm aware of that, but django rest framework recommends jwt doesn't it?

idk

Hello everyone, I created a website that accepts images. When an image is saved, it's filename stays the same.

I'm wondering if it's vulnerable to keep the same filename. Note that the filename is saved in a database. And the image can be viewed online in HTML.

https://xkcd.com/327/

what really is SSL / TSL, and if i do socket connections using it, what am i really doing then?
are my connections safer?

SSL and TLS are only really used with HTTP (HTTPS) in everyday usage (by developers)

It's a mechanism of encrypting a connection without needing to send the encryption key beforehand

You can probably read a simple explanation with diagrams more easily than someone here can explain it, at least for the basics

can i use it for sockets? i saw a stack-overflow question on how to use ssl for sockets

so i am wondering, if i use it for sockets, are the connections safer?

@woven gazelle

Well safer how

And what kind of socket

socket module

and by safe, i mean more protected against hackers

just safer for networking

Well but how

If you don't have any encryption, anyone could read and probably fake messages

yeah

so i would need something like ssl?

thats what im trying to say

i need to encrypt the stuff

can i use ssl / tsl for it??

@thorn obsidian how are you saving it

if you passing directly to os.path.join or the like

then thats vulnerable to lfi

is this where we become ultra uber haxors?(obviously this statement is a joke)

hey, @thorn obsidian !

@thorn obsidian I've been AFK, mostly taking the day off. Was there something you needed?

SSL and TLS are only really used with HTTP (HTTPS) in everyday usage (by developers)
@woven gazelle TLS is very commonly used for all sorts of web applications communication, not just https

sure but as a new-ish python dev

that was what i was trying to convey

that's where you'd meet it

aye

am just being a pedantic prick, do ignore

https://www.zdnet.com/article/irs-offers-grants-to-contractors-able-to-trace-cryptocurrency-transactions-across-the-blockchain/

tracing Monero

I mean, the feds have been trying to do that for ages

I don't think a $0.6M grant would help imho

Why wouldn't it be possible

if you passing directly to os.path.join or the like
@fading plaza

I'm saving it from pillow

@thorn obsidian then they can put a file anywhere on the filesystem using ../

I check if it's "jpeg". I resize it using pillow. I create the path with os join. I save it.

@fading plaza

ok

if my filename is "../.../../../../../../../../../../../../../../foo.jpg", you now have a random jpg in the fs root

@thorn obsidian

and how do you check if its jpg?

Mmmmm. Vulnerable, but not disastrous. Right?

file extension or file magic

and how do you check if its jpg?
@fading plaza
I split it with "." And check the latter part if it's equal to "jpg". I just realized it's so damn vulnerable

https://stackoverflow.com/questions/6803505/does-my-code-prevent-directory-traversal

idk if pillow checks file extension or not

because if it only checks file magic

then they could possibly upload some random non jpegs

I will check that...

Thanks alot

I mean using Pillow is more insecure than lfi lmao

You should be pretty safe on newest Pillow version but i know that there are atleast one unpatched BOF which also is pretty trivial to find

all my old shitty joke projects keep emailing me with pillow security warnings

Lol

Yeah lol

I can probably make it spam with one more because there is one semi-known unreported bug

He guys, i know i shouldn't ask this question here, but what does that mean?

Alas, my friends, forgive me my incredulity, for I have been duped by the nefarious Asal

Is it an insult

My English is not native...

Alas, my friends, forgive me my incredulity, for I have been duped by the nefarious Asal
@thorn obsidian
?!

After that, "Cowboys for life"

Wtf

Anyone used this thing yet?
https://blog.jetbrains.com/pycharm/2020/09/finding-and-fixing-python-vulnerabilities-in-pycharm-with-snyk-s-new-plugin/
asking cause, it ain't working for me on a flask project

Snyk's been a thing for a while, surprised it's on PyCharm now though.

https://lgtm.com/ exists as well

I can create an antivirus with python and what modules do you recommend or do you recommend?

Thanks @thorn obsidian, is this how most people find and report CVE(s) or vulnerabilties? because I see a lot of folks tweet about a new CVE every now and then...

I can create an antivirus with python and what modules do you recommend or do you recommend?

wait nv

i can't read

Hi everyone!!! I am trying to install lanscan on Kali 20.3 using pip (I could not find conda installation) and it fails. Is lanscan a standard tool for network scanning in python or there are better alternatives?

I have never heard of lanscan before

nmap has several community Python modules for interacting with it and manipulating results, why not use that?

Thank you so much!!!

I've used this one

https://pypi.org/project/python3-nmap/

I found lanscan through googling lol

@thorn obsidian you still interested in the answer?

i would translate it as 'sorry friends, forgive me for not believing, because i have been fooled by the evil asal'

although it's all written in a kind of posh old voice so probably very jokey

@woven gazelle is it an insult?

wouldn't say so but it's like

well it's a weird thing to say so i assume it's a joke

could be meant insultingly if they're being sarcastic about you fooling them

It's a joke

ye

i guess you'd say it's insulting if you interpreted it completely literally but

really doesn't seem like it's actually meant that way

Maybe

@hidden saffron What are you trying to use it for? Seems strange to use Kali for that.

@thorn obsidian We want to build a personal RPi device that will report status of my network using LEDs. Kali was just the image my friend was running during package discovery phase

What statuses are you looking for?

Since you're using LEDs, I imagine it's nothing very advanced.

if every devices' MAC address on the network is in the white list, light green LED, else red LED

very simple))

Couldn't you do that within a MAC address filter on the network itself? Also, mind you, MAC addresses can be spoofed.

Just seems like you could do an inventory of all devices and then setup a whitelist that way.

We are doing it more as a learning opportunity. Just started with Security))

You could go further too, and setup a Pi-Hole and use it as the DHCP. Then you can set static IPs and pay attention to when each device connects/disconnects from the network.

I don't see a case where you need to use nmap.

Pi-Hole?

Let me check it out))

Pi-Hole is neat

https://pi-hole.net/

You can actually install it on your Pi too

@thorn obsidian thank you!!! This is a very interesting solution))

We will incorporate it into our work

👍

help anyone please

don't ask to ask just ask you question @red mirage

Pi-Hole is neat
Yeah pi-hole is pretty good. Its a shame my ISP stock router doesn't allow me to change the DNS.

Hey @thorn obsidian!

hmmm

plane b

If you can't set a custom DNS, then maybe you can disable DHCP and use pihole as your DHCP server

Or just manually set DNS for your devices to point to pihole rather than doing it at the router level

HI does anyone now how to decrypt a SHA256 hash in the hashlib library? I have tried a craptone of methods on the internet and I just can't work it out

Thx

@thorn obsidian you can't

decryption is impossible; the only thing you can do is guess and check

HI does anyone now how to decrypt a SHA256 hash in the hashlib library? I have tried a craptone of methods on the internet and I just can't work it out
@thorn obsidian hashes are one way functions

you can't "decrypt" a hash

I literally said....

@thorn obsidian if you are doing it to encrypt/decrypt messages or similiar use rsa/aes

Hash:
Message ——> [Hash]
Message <-❌- [Hash]

Encrypt & decrypt rsa method and other:
Message ——> [Crypted message]
Message <—— [Crypted message]

anyone here work in cyber security?

I'm trying to find a way to store passwords safely and properly. How can I do this? I'm obviously not going to use plain text but I'm not too sure what exactly to do

hash it

let me find the sec.se post

https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords

Kinda outdated tho

I think argon2 is new

@astral crag

ok thx

So, i've never done anything with security, but i think it'd be fun to make an IRC, that is as safe as possible, etc etc.. I know about the whole idea of a public key and private key, that makes it nigh 'impossible' for an attacker to read messages as a middle man, unless he acts as a middle man between a server and a client from the very start, though i understand that the public key must be something that makes it hard to decrypt the message unless you have the private key, i'm not sure how i would go about that.. I also don't want to just.. use a static key, for the client, so the idea was to somehow generate a key from stuff that is specific to that one client, kind of like how randint uses processes and other stuff i think, but i'm also not sure about how to go about that. Also, i found the criptography module, but i was wondering if that was the gold standard, or if i whould use something else.

can someone help me convert python script to exe file

Hi, I have open end question. I just don't know any examples of where this is the case.
Give an example of a situation in which you would not implement a security program, even though the threat was real, and impacted your business on a regular basis.

i figure the answer is probably never

it could be expensive

That would be an ip logger <@&267629731250176001>

alrighty then

!ban 611032279103307798 you don't seem to have any respect to our rules, and trying to tell them to you seems to lead to baseless threats. Get out

:x: User is already permanently banned (#12738).

Ah

Good

thanks for the heads up @mighty bison

can someone help me convert python script to exe file
@hexed basin there is a library named cx_freeze for this.

https://cx-freeze.readthedocs.io/en/latest/

Whats the best encryption module in your opinion and why?

method**

cryptography is good it is actively maintained by community. And it has implementation of all cryptographic Primitives

I have used it in my internship

But for encryption I have used pycrypto. But it is not maintained by community actively

if you hash all passwords you store, and a user forgets theirs and asks for it, you can't get it back can you?

no you can't, that's the whole point of hashing lol
so what you offer instead is password reset functionality

any service that gives your password back when you've forgotten it should instantly be dragged on twitter

because it shows they're not doing security properly.

https://plaintextoffenders.com/ relevant

ok that's good

so.. i figure that for just a project i'm doing to try out my hand at encryption, security etc, for password reset i could just email a code that has to be entered, that's good enough right?

https://www.troyhunt.com/everything-you-ever-wanted-to-know/ might be useful

Can anyone verify this:
https://www.exploit-db.com/exploits/47879 ?

why can't you run the poc yourself @obtuse harness

because I don't want to, instead I am asking for an easy answer from someone who already did, sit in a corner and wait @fading plaza

bruh

I mean it's a cve

Meaning it's definitely been verified by others

Yes it was verified, but I am asking why it would be risky?

did you read the cve at all

by verifiying I meant, what type of attacks are possible by using it since I haven't worked with django and why logging with username instead of email makes it an issue

that's the reason I am here @fading plaza, did you think I would still ask and stare at this chat if I already knew what was going on?

attackers can abuse unicode normalization to send a victim's password reset to themselves

allowing attacker to reset pwd

Now that gave me a little motivation to check that for myself. Thanks. kek

@obtuse harness all you have to do is use a more recent version lol

kek @uncut hill

Meaning it's definitely been verified by others
@fading plaza there's no "verification" process for getting CVE IDs

anyone can do it

Yeah the cve bar isn't super high

If you make a piece of software but find a vuln you can get a cve

out of these, I've had to "verify" exactly 0

https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=neonsea&search_type=all

peer reviewed cve's when

Any cool security/web security related project ideas for intermediates?

can u learn cybersecurity through windows?, if u have an answer pls ping me

There is no reason to not being able to learn Cyber Security through Windows. But you're most likely going to use Linux/other Unix OS' at some point of your career, so it might be worth learning it early.