#cybersecurity

wsl is helpful for windows users

@raven heart

what is wsl

@fading plaza

google it

let's you run a linux distro on windows

without a traditional vm

well my pc is so bad that it probably cant handle that

so back to my og question

it's pretty resource efficient

not a vm

let me look into it

otherwise you could use cygwin

which is just a bunch of linux tools ported to windows

or, y'know, just install linux

cant, pc too garbage

Wot

Are you running Windows 98 or some

Something

Linux is way less resource intensive than Windows

Are you running Windows 98 or some
@woven gazelle nope I am running on windows 8.1, intel i3, 4gb ram, 2.4ghz,
The windows is broken when i use sfc scan it says i got corrupt files and those files cant be fixed
I tried installing parrot os in VM, but it made my pc so slow that I couldn't do anything else

my discord application does not work and i got java issues

¯_(ツ)_/¯

so windows is my only option and I wanna learn some basic CS stuff

now

what do I do?

Don't use a VM

Dual boot into Ubuntu or something, should be fine

how u dual boot?

But you don't need to worry about OS really any way

oh u dont?

You can find guides on how tos et it up

Not really

A VM is very resource intensive

Certainly not something to worry about when you're just a beginner

Although, maybe we should move to off-topic

ohhh, I see

#ot1-this-regex-is-impossible ?

I just saw this video:
https://www.youtube.com/watch?v=bknybcgfjAk
which explains that we can use buffer overflow to get access to memory that we shouldnt have; creating a large strings of A's
My question is: Why does it have to be A, cant it be any other letter?
Whats the significanse of using A and not B?

please @ me

you can use anything

@green ember

Hey, I guess its also a good Channel to ask the following question: Is it possible to change the ip adress in A-Record by strato with python. In generall my public adress is changing everey two days and I dont want to pay 50€/per Month for a static one. Maybe somebody got an other Idea, let me know. thanks

Not sure if strato provides an api

But have you thought about the dns propagation time?

After you change the dns settings it will take some time to propagate through all the dns servers, so there probably will be downtime between dns record changes.

@nocturne bay probably a better idea to do dynamic ip dns

i dont found a strato api for this case @flat wharf

can you recommend a service? @woven gazelle

well dynamic dns is a thing that lots of providers might offer

https://www.strato.com/faq/en_us/domain/this-is-how-easy-it-is-to-set-up-dyndns-for-your-domains/

@woven gazelle so in summary i can setup a client at my server, which gets the new public ip and it updates from itself?

@woven gazelle that workes pretty well with the fritzbox. thak you for you tip

@fading plaza so that specific number isnt at all important to hackers... what a clickbait. Thanks

lmao is that 0x41414141

Whats the significanse of using A and not B?
@green ember it can be anything, A is just something people commonly use

when i'm doing pentesting, I use special tools which create unique patterns so I can later find which offset starts overwriting registries

0x414141 is easy to spot, but you can't actually (easily) use that to figure out how many bytes exactly you need to start overwriting certain memory regions

from pwn import *
...
#r.sendline(cyclic(1000))
r.sendline("B"*cyclic_find("aabb") + "AAAA")

yep, pwntools

hi

can I do a question is not with python

but is from the laptop

???

pls I need help

what?

dont ask to ask

You want to make a question about your computer not python?

You can

People are willing to help

But use Google Translate please

@vast sundial

F(143)=[11, 13]

F(3627199392919381816101049104774104810104810391)= ?

how do public apps hide api keys while letting the app users use the app?

I am using the imgur api to upload images
Is it ok to give all the clients the client ID and client secret?

Usually public apps connect to a web service that has the api keys. The public app just points to that web service

I'm not sure that what I have is an api key

It's a client ID and a client secret

So App (Upload) -> Your Web Service (Upload with Secrets) -> Imgur API

If you have a client id and secret, that is most definitely OAuth - https://apidocs.imgur.com/#authorization-and-oauth

So what do I do with it?
Can I just give it to everyone?

Never a good idea to put secrets in public apps. Personally I wouldn't.

So what else should I do?

I am searching for a free service which let you uploade images

This is the only one I found

I would recommend using one of the "Python Help" channels to ask for this

If I’m just starting out what OS should I use?

Suggestions/personal preference. I’ve looked into kali but they plaster it’s not for beginners, feel like I should take their advice lol

What kind of thing do you want to do

And how much experience do you have already

Eventually pen testing. I have none, which is why I decided not to go with Kali. I currently have ZorinOS to get familiar with Linux.

can someone tell me how to install windows 10

please

Suggestions/personal preference. I’ve looked into kali but they plaster it’s not for beginners, feel like I should take their advice lol
@fathom drum I always thought kali was for beginners.

reasoning was that relevant tools are already installed in it

so a beginner to linux, who does not know anything about downloading and installing packages and setting up the tools, can get a quick start

yo

hey

I can work my way around install packages. I'm thinking I should switch to parrotOS as an intermediate between Kali and ZorinOS

I just saw this video:
https://www.youtube.com/watch?v=bknybcgfjAk
which explains that we can use buffer overflow to get access to memory that we shouldnt have; creating a large strings of A's
My question is: Why does it have to be A, cant it be any other letter?
Whats the significanse of using A and not B?
@green ember A bunch of 14's is easy to look at, and its just a preference, it can be anything but many people use A because 14 is easy to remember

@cosmic monolith 41

oh my fod i just started reading the text messages

*god

man you guys are way ahead of me in pentesting / ethical hacking

and here i am thinking i am good just cuz i can spoof networks

Guessing this might be the place to ask - if not please redirect:
Hello 👋 . I am working on building a LinkedIn bot to just post interesting articles on a page. I am confused about how to actually authenticate to the service - it uses a Oauth2.0 rest api which I am not familiar with. Has anyone done a similar usage for it? I have the client_id and client_secret.

quick question ,how do you convert a hex string to binary in python3?

That's not related to security. You should claim a help channel to ask that question #❓｜how-to-get-help

This website calculates the time it takes to guess a code using a brute force method. What is the rate of guess that they are using? Like how many guesses per second?
https://random-ize.com/how-long-to-hack-pass/

what is a recommended way to get started on security features in any topic?

I’m good. Almost 5.4 million years.

how exactly can i build a docker image with all of the sensitive info i need (prod db username & pw, discord bot token, etc.) for my discord bot? i can't seem to figure out a secure workflow

@long raptor maybe it's insecure but I tend to use environment variables inside a .env file, that you don't commit to the repo

i was doing some more reading, and maybe i just had a misconception about docker images. after i build my image and push it to docker's remote repo, is that data secure in that form?

Has anyone heard or know anything about yubikey?

@long raptor don't put your secrets in the image

you can give them at startup when you run it

after reading a bit more and knowing that im going to need to deploy a couple other things, i started looking into kubernetes to deploy since that has a way to manage stuff like that via secrets

still unsure if even that is ok to use though lol

what hashing algorithm should i use

For what

well it's not something i'll actually deploy just a neat little project, anyway to store passwords to acccounts

Argon2 for the win ☕

@void aspen what module can i use to hash stuff using it

nvm found one, but still, why is it better than.. for example sha256?

It is build to do password hashing

With included salting and funny things like that

what's salting

Basically, it is about adding a random element to your hash (that you’ll store somewhere, so every operation on the same user will use the same hash), so you aren’t vulnerable to raindow attacks

what's a raindow attack? and does that mean that if i hash the same string with salting from 2 different computers i'll get different results?

The same string with the same salt will give you the same result

Although, the thing is that you often don’t know what the salt is

a rainbow attack is when you use precomputed hashes to bypass password hashing at the speed of sound

I mean, those are just implementation details

Simply remember that having an algorithm that support salting is important, or your hashes will serve no purpose

Salting is basically just prepending some string

does not have to be a string

any data

Yeah true

Altough, define string

data decodable to human-readable text (+ unicode)

@astral oak argon2 is slower than sha256 and harder to brute force with gpu

nitpick: its called rainbow table attack

Tomato tomAto

@spiral pivot ping

pong

what do u want

do you know who I am?

not really?

give me a hint

assembly

assemblerz?

yes lol

well birthday paradox

what did i just see 0_o

@void aspen hey i have 1 problem with argon2 encrypting, can you give me a hand?

oh wait actually i think i just noticed the problem LMAO

I can try, sure

that'd be really embarassing

ok nvm i am a total idiot

Lol, that happen

well well well i fixed one issue and then found another, actually regarding argon2

so i hash a value and store it in a file, i then check if an hashed value == that hashed value, and it should because both times i just hashed the value "BRUH", but it's not the same at all

and now i tried hashing "BRUH" twice and it's given me different values?

how am i supposed to check if they're the same if it keeps spewing out different stuff from the same string

oh wait nvm again again, apparently it gives hashes that are different, and if you try to say if hash1 == hash2 you get False, but if you use argon2's hasher.verify function t returns true

why do i only find the solution to problems AFTER i've asked for help

why do i only find the solution to problems AFTER i've asked for help
@astral oak as to why this happens, so you know the background:

argon2 has built-in salting

this is stored in the hash itself, and is randomly generated when hashing

when you generate two argon2 hashes with the data "bruh", you're actually hashing [random salt 1] + "bruh", and [random salt 2] + "bruh"

which makes it pretty apparent why the two hashes differ

the built-in .verify() method makes sure to generate a hash with the provided data and the provided hash's salt, not just any random salt

ohh

ok got it

so can i extract a hash's salt just by lookingnat it

can any one introduce me to computer security and computer hacking

https://cdn.discordapp.com/attachments/734585897768714300/760672788515389501/unknown.png

https://cdn.discordapp.com/attachments/734585897768714300/760672943784591390/unknown.png

Hey can anyone clarify what I have to do for this section. I'm lost and I don't where to start?

What step are you stuck on?

The very first section

Do I just copy the thing in blue?

Sorry i'm very new to this

@thorn obsidian

so that's a shell script

when you run it it will output "content-type: text/plain" then a newline then "Hello World"

acting as a content generation script for a web server

but it seems like a bad idea to try to use shellshock before you know how a web server/bash script works

@woven gazelle hmmm Ok. So what should I do before to get an understanding

what have you done of programming/web development

and i'm not trying to be rude but it's good to get an idea of what you're doing

i'm also not saying you should spend years and years learning before playing with this cause

you could do it while understanding none of it

but it will be more helpful if you understand what's going on

and probably more interresting

and probably more interresting

I meant I know bits of C and such

Its my first computer security class and like this stuff is pretty new to me

@woven gazelle

Oh it's a class

That's a bit odd for your first thing

Is it an online thing you've signed up to?

yes

I took other programming classes before tho

I'm unsure of what other classes I needed to take before this one?

do you know shell scripting?

somewhat

@fading plaza

i have an app that has a license key authentication system, rn I am just checking if the inputted license key is in the database and grant access to the app while also logging HWIDs and IPs to investigate license key sharing if I ever need to. I was wondering how I would go on about making it auto login with ur HWID instead of prompting the user to input their license key everytime. maybe check if their HWID is equal to the same one they registered with and if they're not equal prompt normal login? I am also looking to do this somewhat securely. also on a side note, i am generating license keys completely randomly on user registration is that fine to do? thanks in advance.

the client should store the license key

if the client has it, send it for authentication

I am considering the following as a secure method of credential storage: When a user registers, appending their public username to the login database, along with a hashed/rsa encrypted version of their password. When the user logs in, the webpage would either hash the entered password or encrypt it with the public key, then submit it to the backend. The backend would then return whether or not the login was successful. Answers to recovery questions could be stored alongside the passwords using the same hash/encryption method.

How well would this work?

And how hard would it be to break?

That's how you're supposed to do it (minus the rsa part)

It would be impossible to break as long as you do it right 🙂

@neat rampart You can also consider storing a salt in the database and appending that to the password before it's hashed

It does not have to be secret

https://upvir.al/ref/hd47613757/

why tf is this referral link being spammed in every server

hey @void aspen can you give me a hand with argon2 stuff

so i have a function to log in, and i store an account by having a file with its username, containing the hashed password in the first line, i use the .verify function to check if the password the user gives me is the same one as the one in the file (the one that they registered when creating the account), but for some reason i just got:

Traceback (most recent call last):
  File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.8/threading.py", line 870, in run
    self._target(*self._args, **self._kwargs)
  File "server.py", line 198, in main
    self.menu()
  File "server.py", line 169, in menu
    self.account = self.login()
  File "server.py", line 188, in login
    if hasher.verify(f.readlines()[0], self.receive().decode()):
  File "/home/this_my_name/.local/lib/python3.8/site-packages/argon2/_password_hasher.py", line 191, in verify
    return verify_secret(
  File "/home/this_my_name/.local/lib/python3.8/site-packages/argon2/low_level.py", line 212, in verify_secret
    raise VerificationError(error_to_str(rv))
argon2.exceptions.VerificationError: Decoding failed

plez someone help..

can you show your code

ok it's changed a little bit from when i posted, but it's the same made prettier

Since if i posted all of it it'd be huge, here's the snippets that matter:
When a user tries to register his account, i get username, email, and password, they're all strings because i use self.receive().decode(), with receive basically doing the recv() stuff for you because it's annoying, and then, having checked those parameters but not having changed them:

with open(f"./accounts/{username}", "w") as f:
    f.write(f"{hasher.hash(password)}\n{email}")
    logging.info(f" Account created, password chosen.")
    self.send(f"Account successfully created as {username}.")

When a user tries to log in, i again get username and password, but not email this time, in the same manner, so they're still strings that i do not touch/change, and then to verify the password i do:

with open(f"./accounts/{username}", "r") as f:
    if hasher.verify(f.readlines()[0], password):
        self.send(f"Successfully logged in as {username}.")
        logging.info(f" {username} logged in.")
        self.account = username
        break

i use \n when i write on signup so that on log in i just get the first line of the file for the password, and i've checked it by printing it etcc, and yes f.readlines()[0] IS the hashed password

@woven gazelle

@uncut hill Thanks!

i am still waiting

biggest potential problem at the moment is bytes vs string or similar

you said you've fixed it with decode but I think it would be worth debugging repr of the password when you store it

and again when you compare

How can I encrypt with RSA-OAEP-256 public key ?

@woven gazelle i printed both when signing up and logging in (even though i could see i decoded it), and it was a string both times

Learn how to use it

How can I save myself from a metasploit?

keep things up to date

I still need help with that argon2 error

Like a lot

As fast as possible

how game hackers throw us files of hacked games? So they won't be tracked

and did anyone know forums about that? i want to know how this things are working, just for knowledge

!rule 5

oh, sorry, i want just for knowledge

Hey! I’d love to learn more about and get into cyber security, but don’t know much about it right now. Any YouTube videos/series or articles that you’d recommend? Mostly, I just want some source to being exploring the field

(Please ping me so I’ll see it. Going to bed really soon)

@jagged night I would say that networking is considered as a perfect start, Maybe start with comptia-Network +

Well comptia provides much certifications that will help you in this field in general
Take a look at this:
https://www.businessnewsdaily.com/10718-comptia-certification-guide.html

CompTIA Network+

CompTIA Security+

CompTIA Linux+

CompTIA Cybersecurity Analyst (CySA+)

CompTIA Advanced Security Practitioner+ (CASP+)

CompTIA PenTest+

@jagged night I can invite you to a server

a few actualy

@jagged night look at LiveOverflow on YouTube! He has a lot of cybersecurity stuff out there!

@solar rune those could probably be nice, but I’m not quite ready to invest in courses (yet). Something free would be nice

You don't need to pay a cent

https://www.youtube.com/watch?v=IErQm8wsaxg&list=PL_YW0h4ytNBtBBaPFgMzCNmnzlFalu-SA

Really? When I checked them out, it looked like I would have to pay

https://www.youtube.com/playlist?list=PLG49S3nxzAnnVhoAaL4B6aMFDQ8_gdxAy

We have youtube

Hahah yeah. Thanks, awesome!

Anytime, Vector.

hey guys, has anyone made a bruteforce number adder to the contact list tool that can make someone's number visible on telegram?

is there even the possibility to make someone's number exposed on telegram?i've heard there is a security hole there

i'm not going to use it in bad way, it's against someone who really deserves to be punished

That's a bad way lol

So your plan is to send a telegram message to every single possible phone number

And see if they are the person

Assume PAYG with 1p per text that's about

10^12 numbers

So about $10^10

Which is 10 billion dollaes

I'm not commenting on if they deserve it

But it's not something people would help you with here

So your plan is to send a telegram message to every single possible phone number
@woven gazelle not to send it, but just to look for the person in my contact list after the numbers are added

oh, yea, stats are huge

but he used a way to find that girl's number? how could he do that?

is there another method?

Probably completely separate

Like she had it posted somewhere

Or some other social media maybe

she used an unofficial version of telegram, i think the info were exposed by means of buying info from darkweb

Eh

yeah, 2 yrs ago 40 million telegram users explicit info were exposed and sold and still they are selling it

sorry if it was off-topic, thanks

Oh right I thought you meant like one specific account

Yeah getting it from a dump is possible

What did the person have access to of the girl

Like what account

Or just a name?

@tiny raft We cannot help you with any kind of illegal, ToS-breaking or malicious activity.

This definitely falls under that category.

you should be solving this issue through legal methods

You should not inquire about this any further.

oh , yeah sorry, i apologize

thanks

can comeone help me with pasting code from pastebin, im new to coding and python, thank you.

"create new paste" button at bottom after pasting code into the textbox

hey

can anyone here help me checked if a cracked program is a virus

Yeah after u run it if ur pc stops working or all ur bank acc passwords get leaked or ur pc over heats and blasts then it is a virus or else its not

xd

fr tho

u have antivirus?

no a lot of them are unreliable

and id rather not spend a ton of money on a good one

Well honestly the best way to prevent a virus is to not download cracked programs but I'm guilty too :C

Downloading cracked antivirus ........

lol

xd

lol

now that's a great idea

fr though is anyone able to check

im not great at virus hunting

I always check by googling it, reviewing the source where you downloaded it (usually a youtube video)

Yep

If it's a youtube video you can see by views, like/dislikes and comments

the video was 98 percent like to dislike

should i send the vid

Check best comments, then sort by new and check if it looks real

Yes send video

Usually there are like 100 good comments, all placed in the same minute and all the new ones are bad.

Yeah looks good, but I think it breaks ToS tho since it's cracked

So delete video link and let's move on 😛

what video link

good xd

can anyone here help me checked if a cracked program is a virus
@hollow knot https://www.virustotal.com/ online scanner

    with open("prefixes.json", "r") as f:
        prefixes = json.load(f)
        
    return when_mentioned_or(prefixes[str(message.guild.id)])


intents = discord.Intents.default()
intents.members = True
intents.presences = True

bot = commands.AutoShardedBot(command_prefix=get_prefix, 
                              allowed_mentions=discord.AllowedMentions(users=True, everyone=False, roles=False), 
                              case_insensitive=True,
                              intents=intents)``` i  used this but i get error: prefix must be plain str, iterable of str, or callable returning either of these not function

wrong channel

#discord-bots or #❓｜how-to-get-help

oops

i forgot

I need to encrypt messages between 2 users.
They start conversation having the same secret key. Key should be rotated on both sides after each message.
What algos can I use for this?

Am I looking for AES?

looks like AES doesn't describe key rotation, is it not needed or I should use something else for rotating keys?

I would try RSA

isn't ECDSA better than RSA in every way

no

https://security.stackexchange.com/questions/5096/rsa-vs-dsa-for-ssh-authentication-keys/46781#46781

@radiant thistle

helloo

can anyone help me with creating a botnet server with python3333

i am on ubuntu

sigh

!rule 5

@spice tusk

It baffles me when someone with basically no knowledge of programming, computers or security states on a public discord server that they want to do something like this

Is developing a hash decryption program illegal?( One which uses permutation and combination looping.)

No it isn’t

But depending on how you use it, it is illegal

No, just developing for analysis

ok thanks @void aspen

Anytime!

It could be illegal depending on where you live

So, will I have to browse entire cyberlaws of my country?

well what is your country

it's probably pretty easy to google but it varies by country

tbh i mean

it's technically illegal in the uk i think but not actually enforced because the law is ridiculously vague

Ok, thanks @woven gazelle

I usually would not double post like this, but I have a security question that is also for webdev I posted in #web-development https://discordapp.com/channels/267624335836053506/366673702533988363/764303379575996427 I would appreciate if anyone could explain jwt and token auth better to me, or point me to some resources so I can build a backend from scratch.

Any tips on starting security programming?

@vital cave Same. Kinda new to the game

yea

is there any way i could somehow send my PEM password to uvicorn, or is the only way to run a container w/ my api using TLS is by stripping the password from the key?

so I made a service account for an integration with a google API with my django app, they provided my secrets.json file, would it be safe to commit this file in a github repo, even if the repo is private 👀

No, it's a bad idea

Keep the credentials local and load them dynamically from your program

(sorry for crossposting)

Situation: simple python program that has a client and a server (using sockets) for a game. I want to use SSL to encrypt the data so people cant sniff the content. The server should be able to run everywhere: not only on my machine. I have a self-signed certificate alongside the program, and I can communicate just fine if I use "context.check_hostname = False" on the client. Is this the proper/normal way to do this, or is there a better way?

hi, i am having problems decompiling a pyc file, can i get some help please?
PS > only educational purposes i am trying to figure out how to get its code so i try add more security

hi. A beginner here. Is Kali or Parrot OS better for pentesting? (for a beginner)

Hi, I am trying to create a python web scraper using requests but unfortunately, the website I am trying to scrape is protected by Incapsula. I found this GitHub https://github.com/ziplokk1/incapsula-cracker-py3 but the code appears to be out of date and doesn't work anymore. Does anyone know how to bypass incapsulate with Python requests?

!rule 4

woops

!rule 5

yay

Hello. I have a question about jinja. I want to create a templates engine in my discord using this system, but I have a question: is it safety? Can someone rm-rf my system or shutdown or get token using this command?

assuming the template is static

and not built using user input

it should be safe

Ohh.... thank you so much...

how do you scan your own network with nmap

what kind of scan

nmap <ip range> will scan that ip range

for example nmap 192.168.1.0/24 will scan all 192.168.1.x ips

Anyone know where should I store the Initialisation Vector of an aes encryption, I guess it doesnt really matter since we still need the key?

store it with the message

IV doesn't need to be secret, just unique

thanks

Good morning. I'm currently digging info about how to secure my app/code. If anyone has resources/guides/websites bookmarked, let me know 🙂 I found some information already but I haven't to confirm what is accurate/best for my case

Can you give an example

I noted down pyarmor and Qpy

Greetings...recently i found very interesting the process of building proxies in python, especially for online games, for now, i've tried to develop proxies for games that prompt for the server address to connect ( like Minecraft and some of the games i've built ), that was super fun, cause i had the opportunity to learn new things, like the Minecraft Protocol, and advanced networking in python...I'd really like to go one step further, and try to build a proxy for an old game that doesn't prompt for the server address...Basically what i'm asking is...how can i route ALL ingoing/outgoing traffic from my machine to a proxy? I have a raspberry Pi, i thought that maybe i could create another AP that i can connect to it with main machine....Is there some simpler solution?

I guess some mechanisms require reverse engeneering the game, to make it connect directly through proxy...that's really out of my skills at the moment 😅

**How is twin prime numbers used in programming?
**

hash = lambda n: hashlib.sha512(str(n).encode("utf-8")).hexdigest()
def gensalt():
    return hash(str(random.random()))
``` what do you guys think about this salt generator?

sup

hi

i like ur name xd

haha

do you know how to make a ddos attack

!rule 5

@cursive agate random module is not cryptographically secure, use secrets module, or better yet, dont roll your own crypto

I want learn cyber security with python where can I find tutorial

what kind of thing do you want to learn

hash = lambda n: hashlib.sha512(str(n).encode("utf-8")).hexdigest()
def gensalt():
    return hash(str(random.random()))
``` what do you guys think about this salt generator?

@cursive agate The resulting salt is longer than necessary. Base64 is a more efficient coding/storageformat. The random source is insufficient. random.random yields "the next random floating point number in the range [0.0, 1.0)" which is a too small seed - using SHA512 to increase randomness is not enough. Use secrets instead. Depending on what you want to do, maybe argon or pbkdf2 is a better choice? Or maybe you could just include some library for WebAuthn, SSO, SAML or what not, rather than trying to roll your own crypto?

@thorn obsidian is bcrypt module good?

anyone here know how to use Wireshark? I am stuck and need some help. I cant get a display filter to work for the whole file. I might just be getting it wrong

basically what I am trying to do is capture using this. So I only want to capture my mac address and port 80

also I changed my mac address for the example

@ me if anyone has a solution for this ive been trying to find what ive been doing wrong for awhile

Hello, I need to encrypt my SQLite database and store it in the path. Anyone knows how to do it or made this before? (Django project)

@thorn obsidian is bcrypt module good?
@cursive agate a) The jury is still out. b) That is like asking if a 1" fixed wrench is good. It is absolutely fantastic if you need to tighten a 1" nut. Less so if you actually need a paint brush or a newspaper. What is it you're trying to accomplish? For whom? What do you need to do in order to protect against your intended users' threat landscape, considering the intended deployment environment? NIST has some good advice in this area. Both NIST and European sources recommends PBKDF2, for now. In short - I recommend some research and some Google-fu. Also, the wrench/bcrypt is only great if it is used the right way...

Hello, I need to encrypt my SQLite database and store it in the path. Anyone knows how to do it or made this before? (Django project)
@harsh wasp Encrypted File System, EFS on Windows? Not the best way to do it, but it may work. As an application you can encrypt the file yourself and read it to memory when you need it, if it is small enough.
Executables should be provided with the location of the files to use. User may want to store their files in different places, like on DFS share (great for clustering) or what not.

Rather than bcrypt I myself use argon pure. contrary to most other argon2 wrappers it has all of the interfaces working which means I can supply a salt, session data and some application specific identifier (close, but not quite "a pepper") to cause my applications passwordhashes to be different from anybody elses. Pepper is handled by the developer. Note that you need the mixed mode "id" operation and at least 10 rounds of calculations with argon2.

@gentle sail instead of eth.addr, use eth.src

so i wont tag but Mr Scott or anyone else ,can u please help clear a querry,
if u have a website hosted on a platform like netlify, if u try some experiments related security, will it be illegal

i mean i own the website but will that be against netlify's policies

yep it's very likely against their tos

always test only on your own hardware and on your own network

never screw with other people's stuff

thank u so much and what should i search for in tos for such querries

simply put, it's illegal to mess with stuff that isn't yours (in all countries afiak) unless specifically given permission

i c

thank u so much

np

Hi! I recently installed Kali Linux to learn a bit more about Ethical hacking. What are some projects I can do to get started?

!paste

Hey guys, This is my first day learning about cryptography(more specifically hashing). I learned the different types of algorithms used for hashing, salting etc ..... pretty basic

I made a py file as a tutorial for whatever I have learned

I'm curious as to how secure this all really is... because this is all really public knowledge... this can't be that secure

https://paste.pythondiscord.com/akipaniraw.pl

I'm asking you guys to take a look at it and tell me your opinion on how secure it is (google says it's pretty secure but I still have doubts)

Being public knowledge doesn't make it insecure if the algorithm is built right

Also if I made a mistake anywhere... feel free to let me know

The algorithms publicly used can be studied so that a tool can be made to counter it's effects no?

Or am I being too paranoid?

yeah

But that means that attacks can be discovered by researchers first instead of black hatters

kerckhoffs principle

Alright

Did you check the code?

Looks fine to me

Ik but are those methods secure?

pbkdf2 is secure

Thanks

even though there are better options

Also this got me wondering... How do tech giants encrypt data?

Encryption?

or hashing?

Both

I'm pretty sure the standard for encryption is aes

(symmetric)

The type in which there's a key for both encrypting and decrypting?

yeah

So Google still does that?

I thought they might have had more security

Unless ofc the encryption is really secure

aes hasn't been broken yet afaik

so the current best attacks are either implementation attacks or brute force

Thanks man

AES currently only has theoretical attacks (attacks that actually decrease the security level of the algorithm, but are not possible to do in practice)

plus broken implementations

like padding oracles

of course, implementation attacks are always possible. I was talking about attacks on the cipher scheme itself

Does anyone have any thoughts on this question here? https://security.stackexchange.com/questions/239681/how-to-block-duplicate-accounts-without-leaking-pii

Just tell them that u were not able to create the account, and to contact support.

The statement "if you have an account, you will receive a password reset email" must be used only when issuing a password reset.

ok

What kind of pii

Hey guys, anyone know of a good tutorial for decrypting a hash?

Tried yt wasn't satisfied

Can I get your thoughts on this please.

Security wise, if an election if public, meaning I can verify my vote was cast properly and I can also check to see how other people have voted,
it makes hacking online voting "less hackable".

Would this be a truthy statement to make?

no.

the other issue you would have is perhaps more of an ethical / moral one

should you be able to know how someone else voted

it'd be more transparent, but it doesn't mean it's less vulnerable to manipulation

I think the statement is true in that ultimate transparency makes an election less corruptible

But you don't want ultimate transparency in an election

i mean, it's a bit beyond that

it'd require people to verify their own vote

and not just that, you'd have to verify the people voting are the people they are

electronic voting is a tricky one

i imagine if you issued every person with their own cryptographic key you could massive reduce the instances of fraud

is there someone who can help me with JWT tokens in flask/python?

b

i forsee a ban for spam

@lusty flare @woven gazelle In this hypothetical I'm assuming no one has an issue with their vote being public.

can someone send python hacking tutorial vids

i need help

ethical hacking

@floral wharf

in other words, you cant really do ethical hacking from vids

If you want basic pentesting (not necessarily related to python) might look at networkCheck(youtube) and tryhackme (website) ||keep in mind I know basically nothing about said topic so take my advice with a grain of salt :P||

yeah. also a simple pentesting tut is available at freecodecamp.org on youtube

you might as well check that out

here : https://www.youtube.com/watch?v=3Kq1MIfTWCE

tks bro

🙂

Kali Linux

What

This is for my ChatApp. This is my first time doing something like this. If you have any questions ping me!
Oh and my question is. What can I do to make sure this is more secure? ping me in reply

Okay so first the two servers use SSL to connect, the certificate is server side only, and is a Self Signed cert.

After this the server sends over the 64bit key. Generated with os.urandom
The client receives this and then sends the key it received back to be checked.
If the server does indeed find the keys are the same. It sends a message to let the client know its good.
Else.
it sends a "Key Error" and the client disconnects

Next the Server sends the Initialisation Vector for the AES-256bit encryption
The client sends it back to be checked after the client has been received
If the server finds the IV from the client and its own IV are the same if it is the server sends a message to let the client know its good
Else
it sends a "IV Error" and the client disconnects.

After all of this. The server and client communicate solely over AES-256bit
The characters allowed are in the messages
[^ a-zA-Z0-9[]/?.!,']

why is there a character limit

what aes mode

why aes at all

and not just ssl

@leaden crater

AES because I wanted to. The mode CBC
Character limit of 100 characters
Only those allowed? Because I am planning on adding a SQLite database to store the messages but that's a different issue

no like

Those characters the [] and /
Are because of Text-Markup

In Kivy.

why are characters even banned

adding and SQLite Database

so?

I'll escape the characters eventually

that has nothing to do with banned characters

oh no no no

But for ease I am just limiting the characters

parametrized queries

parametrized queries
Go on?

that is the right solution

like cursor.execute("select * from users where user = ? and password = ?",(user,password))

or whatever the syntax is

Ohh yes

And that can't be yeeted by Injections?

Right?

nope

so you dont need to ban characters

Hahaha nice. Okay that saves me doing stuffs

so you dont need to ban characters
Good.

Why is my SMTP code not working ( the emails are fake but I use real ones for the errors shown below):

File "scratch.py", line 10, in <module>
server.login(senderemail, password)
File "C:\Users\dhruv\AppData\Local\Programs\Python\Python38-32\lib\smtplib.py", line 734, in login
raise lastexception
File "C:\Users\dhruv\AppData\Local\Programs\Python\Python38-32\lib\smtplib.py", line 723, in login
(code, resp) = self.auth(
File "C:\Users\dhruv_\AppData\Local\Programs\Python\Python38-32\lib\smtplib.py", line 646, in auth
raise SMTPAuthenticationError(code, resp)
smtplib.SMTPAuthenticationError: (534, b'5.7.9 Application-specific password required. Learn more at\n5.7.9 https://support.google.com/mail/?p=InvalidSecondFactor x23sm2799418pfc.47 - gsmtp')

Sign in with App Passwords - Google Account Help
Tip: App Passwords aren’t recommended and are unnecessary in most cases. To help keep your account secure, use "Sign in with Google" to connect apps to your Google Account.
An App Password is

Anything else?

i still don't quite get why you need aes if you already have ssl encryption

ssl already uses aes

AES on top. Because eventually, the server its self will just be a middle man for the two clients to talk in a DM/Group DM

with authentication too

AES will be used so that I or whoever is on console cannot read said messages

The keys will be generated different then not on server side

But the process will be the same

between 2 clients

well if the server is sending the key

then they can read it anyways

but if you want a client to generate the key

Right?

wait this is just going to become ssl tunneled through the server

What do you mean?

Exactly*

so the server is just there to transfer messages between the 2 clients, right?

Yes

and all the encryption/decryption occurs on the client?

Or will be

Yes

ah so its end to end encryption

Yes

Oh yeah I shoulda said taht

😑

if so, then just aes won't be enough

E2EE AES

if so, then just aes won't be enough
DAMN IT

otherwise the server can tamper with the messages

Oh god yeah

So how do I stop such a thing?

i dont really know much about this topic

Ahhh damn it

but this sounds like exactly what tls does

E2EE when I looked up. It said they used AES on all messages and the server couldn't read
You're right they never said "tamper" not any of the posts I looked at

but this sounds like exactly what tls does
What is TLS?

ssl v2 basically

technically ssl is deprecated

Ohhh. 🤔 Okay.. how do I do that with sockets? Or is there some custom code I'd need to make

and tls is the new standard

like i said, i dont really have much experience with this

maybe wait for someone else to answer

Ahh okay. I shall look into do that. "TLS with Python Sockets" Thank you bro!

ssl.PROTOCOL_TLS_SERVER

Alreadly TLS

Looking through code for what I did

TLS is already enabled

@oak kraken have you enabled "less secure apps" in the google account?

and you've made sure the account doesn't have 2FA enabled?

i did

oh no 2fa

ok i will do that

thanks a lot it works now

👌

I have one last question

How do i make it send an email if it detects a face ( I have the face code )

not really related to #cybersecurity tbh

but i imagine once you've got a valid faceid you just trigger your smtp emailer function

i've got one function which does gmail smtp relay stuff and i've copy/pasted it to a bunch of projects because it does exactly what i need

and if something requires email, i just bolt it on.

I like to use a mailer program installed on the OS (like postfix). One thing to configure for all programs, built-in error/retry handling, lots of documentation, and the Python process can continue its work quickly after sending the email to local server

another thing; how could I encrypt a password?

AES could work

read this: https://blog.tecladocode.com/learn-python-encrypting-passwords-python-flask-and-passlib/

For one, that isn't encryption, also, that's for storing passwords in a database, which I'm assuming isn't what he wanted

maybe you answered the letter of the question but I guessed the spirit of it 🙂

@oak kraken could you clarify what you want to do? (what do you mean by encrypt a password, what is your goal)

I want to make it so no one can get access to it except me ( i am storing it in a text file) Should I use MySQL?

no, you should use a password manager

what is that?

a program to store passwords securely

example KeepassXC

oh

merwok, do you want to get in a dm so i can ask you some more questions?

private dm

ok I have five minutes

I want to make it so no one can get access to it except me ( i am storing it in a text file) Should I use MySQL?
@oak kraken MySQL is for storing data, and not sensitive data, as it is not really secure

oh ok

You could maybe use an encrypted SQLite file, but that still means having a password, or securely storing a key, so...

Pretty silly to accept clients to transmit sensitive information through third party apps such as Messenger, Instagram and WS

Security wise, correct?

correct, but hard to make clients understand and accept that

they will send passwords in email

Does pyarmor pack MYSCRIPT.PY does automatically what pyarmor obfuscate MYSCRIPT.PY does?

Pretty silly to accept clients to transmit sensitive information through third party apps such as Messenger, Instagram and WS
@thin shoal third party isn't necessarily worse than first party, in fact I often assume the opposite

but yes, that third party should definitely not be a company who profits off of data such as fb

I had a meeting and a person told me about a POST attack, where an id can be changed and with that I could access information that was not authorized in a site so it was preferable to validate with the logged in user (request.user in my case). I may have misunderstood(bad wifi connection), but can the POST be changed with an attack?

I think you're going to have to be more specific

what do you mean 'changed with an attack'

like intercepted and changed?

in the post i have a var like customer_id = 2 and somehow it can be changed to 3 for example, intercepted and changed is prob what i have in mind

is the api intended to be secure?

i.e. is this something that only certain people should be allowed to do

it'a a website and yes it should be secure.
if you mean that _id is used to validate acess to DB(i think so?) but yes, only certain people should be allowed.

hmm

like IDOR?

where there's no authentication and just a id?

i think that's it

" The attacker can access, edit or delete any of other users’ objects by changing the values"

how would i go about protecting against that?

using django if that helps

verify post requests against some kind of user login

can i do this with a decorator?

can't help there, i've not really used django

i know you can in flask

i suspect you can

Howdy

drf has authentication class's n such you can apply to views yes

is there like a hacking intro course that anyone can recommend

I don't want to be a script kiddie with the 15 hour youtube one i found

my personal recommendations are picoctf and overthewire bandit/natas

both beginner friendly

bandit focuses on basic linux

natas on web exploits

and pico has a bunch of categories

@sturdy ginkgo

if you want guided learning I heard hacker101 is good

since the ones above kinda rely on you doing research yourself

got it

yeah I have kali linux

https://overthewire.org/wargames/ are you talking about this w bandit/natas @fading plaza

yeah

alright cool

yeah i'm mostly interested in machine learning and data science but i've always thought hacking was really cool

just couldn't find much help for it so I never looked into it

@sturdy ginkgo if you haven't looked into them already

i'd recommend checking out some talks from conferences

Blackhat, DEFCON and CCC (C3) all have some excellent talks

hello everyone!!

Hye

wassup

KAIL LINUX

KALE LINUX

you guys are one of the most welcoming communities I've seen in hacking

most of the people I talk to when I ask how to like learn hacking they just tell me to go f myself

Thanks

yes

Kale

@sturdy ginkgo do you like kale linux

@dense mist no i haven't used it yet but my friend helped me get it on my machine

I'm more of a data science machine learning person

Can python format strings be exploited? In Python 3.9 this is as far as I can get, so I'm reasonably sure a user can't arbitrarily run code, but I think it can be used to get access to secrets within the rest of the application
format("{.__globals__[__builtins__].exec}", format)

Hmm

Well it is generally used on a static string so I can't see it being a very common issue

But some articles mention untrusted translation sources being an issue

Maybe come up with a GitHub dork to check for issues like this

most of the people I talk to when I ask how to like learn hacking they just tell me to go f myself
@sturdy ginkgo most people has the major misconception that hacking or ethical hacking is bad against the law and they think ur a small child who wants hack wifi or stuff

Despite of telling them what an ethical hacker does

They wont understand

yeah

any ethical hacker works for the goverment lol

If I have an "/uploads/<filename>" route which downloads a file with filename, should I limit the length of filename? I mean do you think a long filename(so long url) would cause problems for server(as in slow it down)?

no

this should be enforced by the reverse proxy sitting in front of your application

ie nginx

Oh right. Thanks xx.

ie, super long request URIs or too big of a post request gets dropped

Great. 🙂

@amber bridge ethical hackers do pentesting right

Depends

They have different kinds of job

Pen testing
Reverse Engineering
Malware research
Bug bounty
Malware design
And more

So the django application that I'm contributing to has a non-interactive mode for instances in which the admin does not have access to the command line. They print an initial default password to stdout for the admin to log in, and never enforce that the admin change that default password.

This seems like a security issue to me..what do you think?

@acoustic nova I learned rsa through the crypto challenges on picoctf

especially rsa pop quiz

where can I find this

which goes step by step through the parts of a rsa implementation

https://picoctf.org/

Wrong link

that's the old site

https://www.comparitech.com/blog/information-security/rsa-encryption/

ew carmichael toitent

euler's better

yeah

<@&267629731250176001>

Hi everyone, I have one question regarding the security of communication line with the Discord bot. How secure is Discord when sending like bot commands. Simple example: If i send some "password" to my bot, is there a way for someone else to see somehow that password other than through accessing my account and scrolling over DM?

thanks for help 🙂

@amber bridge @thorn obsidian I'd rather not have you two vandalize a topical channel with nonsensical messages. Consider this a fair warning.

k

Ok

k

@rapid wigeon to answer your question, someone with only access to their api servers can see the request with your token and password if you input it, there’s really no way to MitM discords services.

Thank you very much 🙂

Hey guys how easy is it to decrypt encrypted data? And how do we do it?

I'm talking sha1, pbkdf2_hmac hashing

Or aes encryption

If we were to sniff the data from a network... How easy is it to decrypt?

I´m developing an app in Django as my first professional project and I don´t know where to start with security... Any advice?

@warped hatch virtually impossible unless there are implementation flaws

and hashing is different from encryption

@rapid wigeon to repeat, and a lot later >.> Discord and the bots use TLS-based http security for their connections, or WSS which is very similar and uses the same backing. Consider it as secure as a normal password form available over HTTPS.

@thorn obsidian Django is used to develop websites not apps

@fading plaza ik that but Google says that it's still possible even with hashing... I think

And by implementation flaws do you mean flaws in the encryption process?

You can crack something like md5 in a quite long time

But modern algorithms like sha-256 would take basically forever even if you have all the computing power in the world

@warped hatch a webapp* sorry.

assuming a hashing implementation that doesnt have non-algorithm related flaws such as timing attacks

the best attack is brute force

same for encryption

@warped hatch

however, that is assuming that there arent any non-algorithmic flaws

such as reusing a nonce(a value that has to be unique and random in an algorithm)

or using a weak key

Anybody do any consulting work? I've been thinking about it myself. Could I get work with a CompTIA Security+ and practice from multiple websites (I have like 8+ bookmarked)?

anyone here skilled in the ways of 2captcha that might be able to lend some guidance?

Any other way of obtaining that information?

I want solve this problem

Try sudo

If it still doesn't work try a different editor which is easier to use

you don't have write permission

Will sudo fix that?

Works fine with mine

yeah, I think so

he can also change the permissions, which I'd probably do myself

Would you like to say something in response to my question above?

I already did?

You did?

@acoustic nova If you learn number theory, rsa and a lot of other encryption will come by itself

did what exactly?

Any other way of obtaining that information?

Answer this question?

The info encrypted

Ooooh, right

Sorry I misunderstood

@acoustic nova If you learn number theory, rsa and a lot of other encryption will come by itself
@quiet gull yeah I know

To decrypt data you need a pragmatic approach. In theory, it's impossible. The math is against you

But you know, vulnerabilities are a thing

Yea but is there a way to get the key too? You know in case it's aes?

Will that help?

Sure, if you can somehow get the key

why do you ask this?

Saw this in a game

Was like "no way it's that easy"

Your hunch was correct lmao

It just hit me... Why do people keep using john the ripper for the hashed passwords if it's hard to brute force?

is this the right place for the module "cryptography"?

if you choose a bad password

that can be guessed

than jtr can brute force it

Got it

@thorn obsidian I've been discussing that here from time to time so I think it's fine

ok so

apparently the crytography module can't handle \n's very well:

key = Fernet.generate_key()
cipher = Fernet(key)
text = b"""Encrypt me! 

 """
encrypted_text = cipher.encrypt(text)
decrypted_text = cipher.decrypt(encrypted_text)
print(decrypted_text)

works for me

In [1]: from cryptography.fernet import *

In [2]: key = Fernet.generate_key()

In [3]: cipher = Fernet(key)

In [4]: text = b"""Encrypt me!
   ...:
   ...:  """

In [5]: encrypted_text = cipher.encrypt(text)

In [6]: decrypted_text = cipher.decrypt(encrypted_text)

In [7]: print(decrypted_text)
b'Encrypt me! \n\n '

congratulations

🙂

@thorn obsidian

bro

i don't want to print "\n"

i want to print the actual space

the same way you press enter

you can't print a bytestring

you have to decode it into ascii first

or if you do print it, it just prints repr of it

It works! I had a headache over this!

Hi

is the security hard to make?

what

Is there a recommended standard for how long password reset links should expire after?

Currently I have it set to 60 minutes, and the signature for the URL is calculated through sha256.

Take a look at what other sites do

Search your emails for'password reset' and look at what they say

Hmm if only I didn't delete them as they come. I'll try resetting some passwords.

But then it's a matter of if the sites compromise security over user experience.

i think 30 minutes is probably the upper limit for me

because there's no way it takes 30 minutes for the email to arrive if you have a decent mail sending engine

10 minutes is probably the lowest i would consider

@dense mist no i haven't used it yet but my friend helped me get it on my machine
@sturdy ginkgo amazing :D

@dense mist haha

B)

hru lately ?

how can you guys send this text like this

I have content for cybersec ,get this pinned

@thorn obsidian if you have resources that you think are useful for us, let us know on our Github or in #community-meta and we'll look into it.

I have a serious Windows 10 problem where can I talk about it?

???

what's the problem

I have a serious Windows 10 problem where can I talk about it?
@worldly jay what is it

I fixed it...

What was the problem anyway

I fixed it...
@worldly jay I'm curious can u tell me what problem u had sir

It was Windows 10 signed me in with the TEMP folder or the Temporary User...

Oof

So how did that happen?

Like did some kind update

Happened

Bcs mostly windows updates are bad

No, because of Malwarebytes Anti-Malware!

Ohh

Well what procedure u did

So it got fixed

I guess this has to do something with BIOS and command prompt

I fixed it by creating a admin user, signing in with Microsoft and copying all files!

Hey guys

One of my friends was recently sent this

It's nothing too concerning in this case so I don't really care

But in case this happened to me( like..... Deleted all my data and demands money in exchange for the backup).... Does anyone know how I can track him?

well you'd report the incident to the police annnnnd wait.

Ik that's what I would normally do...

But the message he sent that he can't be tracked because the email address is generated, and the Bitcoin address can't be tracked has me curious

Is there really anything I can do to track a person like that?

@warped hatch this message is a famous scam

Totally a scam

https://malwaretips.com/blogs/i-am-a-professional-coder-and-i-hacked-your-device-email-scam/

ive got this multiple times dw lol

your friend must've gave his email somewhere he wasnt supposed to (an unauthorized website) and those emails are often used/sold to scammers

you can do some magic to try and identify owners of bitcoin addresses

since the ledgers are public

except if the address is a fresh new one

yeah, but it'll move currency somewhere else eventually

if it only moves currency out when you pay it, you won't find it before paying 🤔

pretend to not know what your're doing and send 100 cents instead then see what they do

I thought the whole point of Bitcoin was that it can't be tracked

I thought the whole point of Bitcoin was that it can't be tracked
@warped hatch No, the whole point of Bitcoin was to be an alternative currency not based on fiat principles and entirely digital 😄

You can actually see its purpose, as written by its creator(s) here https://bitcoin.org/bitcoin.pdf

yeah, there are methods of obfuscate payments

but because there's a permanent ledger there's always a record of where stuff came from

Thanks guys

Yo wassup

Wait is “coder” a unprofessional way of saying?

@bitter coral "coder" is fairly unprofessional

people use computer programmer

or software engineer

Ah ok thx

hia, i want to encrypt my discord bot token. how ccan i do taht?

why do you want to encrypt it

why

What's the point in encrypting your bot token and pushing the encrypted bot token to e.g. GitHub if you still have to worry about safely storing the decryption key.

I can see why you'd want to encrypt it, but it's probably not worth it.

You can grab the token and spam it

and thats why you don't push secret tokens to github in the first place

Hi, I was told this is the chat for help with encryption and encryption. is this correct?

@carmine anvil The title does suggest that 😄

ok

i know the secret to top notch security

password123

hunter1

pa55w0rd

*hunter2

horses

@woven gazelle @jolly veldt my dad who does rn the cyber security stuff says I must do it before i can operate my bot soo he made me ask that. I am not intendint to upload it into github but I do want a way to keep that time secure

But why you want encrypting it, if you dont share it, or do nothing with it? Its not necessary if you want to make bot @azure pivot

Again. My dad forces me to it. In addition I do plan of cloud integration and my dad doesn't want me to really on discoed oath2

I do believe he wants me to lean encryption in general to the bot thing I make soo idk exactly

question, yall think python is the future language for everything, mostly security?

even for now, is python suitable for security?

You can do security things all language

What is oath2? @azure pivot

I think you're talking about OAuth2

Yeah sorry

So you want to make some discord bot but you want to encrypting it? If im correct @azure pivot and your dad want you to encrypting it?

Only the token

Just the token he wants me to encrypt

But why

Is this bot comming somewhere also

Or only you? @azure pivot

there's no point in encrypting your bot token because you have to store how to encrypt it

which means the encryption is worthless

If you encrypt the token, you have to safely store your private key

Which you kind of already have to do, as you need to safely store the token in the first place

Are you try to google "how to encrypting discord bot token" if your dad want it @azure pivot

Thx for explaining. The bot is planned to go to a cloud so I won't have to run it on my pc all day and night

Hi, I have a shuffle cipher program that uses py random.shuffle()
I need help making the decoding method. can anyone help me?

my issue is i dont know how to use the map given and use it to decode the encrypted message

Hi, I am assessing an web app written in python. Its run by tornado / sqlalchemy / mysql. Can some tell me if can find a security vulnerability with the way this password reset function is implemented. This app is indeed vulnerable by design.

    ''' Email user a new password '''

    def get(self, *args, **kwargs):
        self.render('public/password_recovery.html', errors=None)

    def post(self, *args, **kwargs):
        ''' Starts the account recovery proccess '''
        username = self.get_argument('username', '__NONE__')
        user = User.by_name(username)
        if user is not None and user.confirmed:
            self.reset_password(user)
            self.render('public/sent_password_recovery.html', user=user)
        else:
            self.render('public/password_recovery.html', errors=["Invalid username"])

    @async
    def reset_password(self, user):
        ''' Generate secure password, and email to user '''
        random.seed(int(time()))
        count = Dictionary.word_count()
        index = random.randint(0, count)
        word = Dictionary.at(index)
        new_password = "%s%04d" % (word, random.randint(0, 9999),)
        user.password = new_password
        dbsession.add(user)
        dbsession.flush()
        email_service = EmailService()
        print (user, new_password)
        email_service.send_password_recovery(user, new_password)```

do you just... email the new password... in plaintext?

how do people usually do it?

are 2nd auth keys emailed in plain text

Securely? generate a password reset link, and email it. That way, the user knows something is up if the password is not the same

Yes, the password does get sent in plaintext to the email address that's in the database. The user only supplies their username on the reset page.

If you don't do that, someone can just grab the message, and use the password without the user knowing it...

true, I have seen services email it in plain text

never thought much of it though

Worst thing ever: they email you your own password...

lol, that means it wasn't encrypted

That means they either store it in plain text, or they have a master key, which is not better

yeah

hashed

padded, hashed, and salted...

some algorithms like argon2 makes it all really easy

which I like

Do you notice anything that would allow to influence what email the password would be sent to?

this is the email service

    def send_password_recovery(self, user, new_password):
        ''' Sends email with recovery password '''
        logging.info("Sending recovery password to %s at %s" % (user.name, user.email,))
        subject = 'Website: Password Recovery'
        text = 'Your account password has been reset to: %s\n' % new_password
        msg = MIMEMultipart()
        msg['From'] = self.config.email_username
        msg['To'] = user.email
        msg['Subject'] = subject
        msg.attach(MIMEText(text))
        self.__send__(msg)

    def __send__(self, msg):
        ''' Connects to Google SMTP server and sends email '''
        mail_server = smtplib.SMTP('localhost', 25)
        mail_server.ehlo()
        mail_server.starttls()
        mail_server.ehlo()
        mail_server.login(self.config.email_username, self.config.email_password)
        mail_server.sendmail(self.config.email_username, msg['To'], msg.as_string())
        mail_server.close()

tbh I came from C# and suck at python, someone else might though

At first glance, I don't see any security flaw apart from the plain text password sending one

Thanks for taking a look, I'll keep poking at it.

can anyone help me with the shuffle cipher question from earlier? do i just copy paste what my question was

What is the most common security vulnerability with Python

?

Depends what you're doing

how do i make an encryption algo?

don't make an encryption algo, you WILL mess up some tiny detail and all of the data you "encrypted" will be vulnerable

use a library

uh

unless you are just doing it for educational purposes

i wanna make a login sys

use a library
like hashlib?

this one should probably work

https://pypi.org/project/scrypt/

might want to double check with somebody else before you use it for something important though, I'm not an expert

I know just enough to know that trying to self-encrypt is a bad idea

k then

thank you!

np, good luck :)

thnx

Implementing something like DES, AES, RSA, or even DSA can be quite interesting for experience. However, you really need to test it thoroughly before even thinking about using it for security

and it's probably gonna be really slow

Hi, I have a shuffle cipher program that uses

random.shuffle()

I need help making the decoding method. can anyone help me?
my issue is i dont know how to use the map given and use it to decode the encrypted message

hi guys

Brrrrr

hii need help badly ... my friend's fb page has been hacked and now they are posting non page related contents .. we reported the page many times but no actions were taken ... anybody could help ??

Appart from calling the help desk, there isn’t any other solution

reported many times called their support center ... no use

hi

Hi

what's new?

abstracting data integrity, reliability, and redundancy on all systems.

monitoring all resource pools , managing and reporting.

hello,i am new to database security
can someone tell me what needs to be considered for database security and if possible resources for the same

Sql injection

@mental stratus

Not storing plaintext passwords or sensitive info

Curious, is there a standard format for sharing RSA public keys as text?

I did some looking around and there seems to be no reason I can't just make up my own, given that I am writing software for personal use.

pem?

looks like

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAryQICCl6NZ5gDKrnSztO
3Hy8PEUcuyvg/ikC+VcIo2SFFSf18a3IMYldIugqqqZCs4/4uVW3sbdLs/6PfgdX
7O9D22ZiFWHPYA2k2N744MNiCD1UE+tJyllUhSblK48bn+v1oZHCM0nYQ2NqUkvS
j+hwUU3RiWl7x3D2s9wSdNt7XUtW05a/FXehsPSiJfKvHJJnGOX0BgTvkLnkAOTd
OrUZ/wK69Dzu4IvrN4vs9Nes8vbwPa/ddZEzGR0cQMt0JBkhk9kU/qwqUseP1QRJ
5I1jR4g8aYPL/ke9K35PxZWuDp3U0UPAZ3PjFAh+5T+fc7gzCs9dPzSHloruU+gl
FQIDAQAB
-----END PUBLIC KEY-----

@neat rampart

Hi guys, I have a problem how can I maka a login page?

make*

a

Has anyone embedded javascript code into a jpeg image before? I am pen testing some software (its my job)

You should be able to change the JFIF APP0 marker length to 2F 2A (/*) and add */ and code. Make sure to pad that marker to 12074 (2F2A) length

@sick fable doesn't this depend on the jpeg renderer being vulnerable?

Actually it depends on the javascript parser

The jpeg is compliant to the standard using the method above

The issue for the javascript parser is how it'll interpret the first 4 bytes FF D8 FF E0

Of course, you can try to bring the /* to the very beginning, in which case it won't be jpeg-compliant due to the extra 2 bytes at the beginning

sounds very interesting to me

Hi

ABstraCti¤n{B¤x =>(bindObservable = n2sFiles{network, security, storage}) Unb¤x =>(bindObservable = i2rData{reliability, integrity, redundancy})}

does anyone know an api for scanning ports?

rule fiiiveeeee

!rule 5

wot 'e said

port scanning is not illegal in itself. However, it can be used to (d)DoS essential services, so... not gonna help @thorn obsidian

You didnt have to @ me for that...

🤷

Nmap is a port scanner