#cybersecurity

From my point of view the most interesting steganography is to hide informations in real-time communication like voice communication or network packets

It's hard to detect and track

I am definitely keen to try some audio stuff soon.

I don’t understand how cyber security works someone give me education

Magic, you have been given education.

Basically cyber security is a way how to protect your digital data

Do you have more precise question?

So I am making a React Native app that involves OAuth login with a third party service. I generate the request token and access token server side to avoid having my api key and secret in the client code.

I'm new to OAuth so I'm sorry if this is a really stupid question but is it fine to store the access_token and/or access_token_secret in the client? The reason I'm asking this is because if possible I would like to eliminate using a DB to store these tokens, and instead just store them on the client so the client can directly send API requests to the third party provider.

Good Security plug-ins to add to your browser:

1. https://www.eff.org/https-everywhere

2. https://addons.mozilla.org/en-US/firefox/addon/privacy-possum/

3. https://github.com/EFForg/privacybadger

https://techlore.tech/

https://apps.dtic.mil/dtic/tr/fulltext/u2/1038572.pdf

Hello, is it possible to generate a random string of numbers and letters (or the secure equivalent) from a string (more numbers and letters) acting as a seed? I can't seem to find anything to do with generating random strings with seeds, except for one that uses an integer seed to generate a random number, which isn't what I'm looking for.

Obviously

Maybe get the input and for each character assign it a few different characters, it won't be very secure

!e

import string
import random

def generate(seed, length):
  random.seed(seed)
  alphabet = string.ascii_letters + string.digits
  return "".join(alphabet[random.randint(0, len(alphabet))] for _ in range(length))
  
print(generate(0, 2))
print(generate(0, 5))
print(generate(8, 5))

@lapis radish :white_check_mark: Your eval job has completed with return code 0.

001 | 2y
002 | 2yW4A
003 | ox9yi

https://tenor.com/view/kid-funny-book-transfer-knowledge-cute-gif-17778986

Is it possible to do this in a way that the seed could be a string? I'm trying to use a user entered string, jumble it up, and then enter that as a seed to generate the string.

str -> bytes -> int

I think it could be fairly secure (I really wouldn't be surprised if I was wrong though). I want to use a password someone enters, salt and hash it, and then use that hashed password as the seed to generate 100 or so random letters and numbers assigned to each English letter and number for decryption / decryption.

For example: "Test" would be a string of 400 random numbers and letters. When decrypting I'd split it up into 4 different strings of 100 characters and run it through a dictionary.

Ty! Let me try it real quick.

Basically substitution ciphers are not very secure

By not very I mean not at all

Yeah. I've essentially got my passwords on a .txt file on my desktop, which will probably make every single person in here have a panic attack 😄 I need it to still be recoverable, but the main password I'll properly hash and stuff. So far doing that is the only way I could really think of doing it.

Why don't you use something like KeePass?

I'd like to have something that I know isn't doing what ever they like with my PC (although I really doubt any actual software would), I also find it worth the "slight" security issue compared to a proper one to have it integrated into my software as a little tab essentially.

Code is open so you can analyse it as well

Basically inventing own format is not so easy when you want to do it proper

I definitely think my version would be really bad compared to a program made by people who actually know what they're doing when it comes to encryption, however having it integrated into 1 single program with all my other stuff is really worth the trade off for me. Still, I feel like it'll be secure enough that if a hacker gets access to my computer they'll have a very annoying time trying to get my passwords, rather than just double clicking on a .txt.

Okay, when you will have another questions feel free to ask them here!

I’m not sure if this is security related, but here goes…

In OAuth2, you’re handed a token after authenticating through discord or fb or amazon or whatever… does anyone know what to do with this token on a backend and also on the front end? Does the token get stored in cookies? How else would the request to an API include the token? I’m so confused on this and it has been two weeks haha

(This might be closer to a web dev question maybe… )

yeah you store it clientside then use it in future requests

I see. Is it okay to simply decode the token on the backend and then match userid == userid_in_my_db? since the oauth provider already proved that that user is who they say they are?

I can implement that logic but I am trying to be weary of security

https://tenor.com/view/ronan-sheesh-sheesh-gif-21479305

kali

custom arch distro

Is it possible to automatically and securely boot from fully encrypted hard drives without having to supply any kind of keys?

Well, a rephrase of this would be is it possible to boot from gibberish?

Booting requires code to execute, it can't execute if it is encrypted.

Hmm yeah I'm not aware of all the possibilities. From what I understand its possible that this encryption can be done at hardware level and these encryption key could be stored in BIOS or somewhere else.

I am mainly curious about the best ways people have found to encrypt drives while maintaining convenience and security.

That seems much more plausible. I hope someone here can share some more information on it.

Why bother encrypting an entire drive to begin with? There is software that can decrypt files and temporarily mount them as a drive, so they stay encrypted on file unless you open it to add/edit.

I think goal is to more difficult to compromise in case disk is stolen or copied.

Have you ever heard about TPM?

I think I have heard of it but don't know too much about how it works.

I heard some work on encrypting ram. https://arstechnica.com/gadgets/2020/02/intel-promises-full-memory-encryption-in-upcoming-cpus/

I think that you shouldn't rely on Intel's ideas - you can read about SGX and how "secure" it is

how is python used in the security domain ?

https://www.nginx.com/resources/library/web-application-security/
this is cool book to read you know, it is even free

together with
https://www.oreilly.com/library/view/web-scraping-with/9781491985564/

it makes a nice... security basics for attacks and defense

or at least I felt my sword sharped and shield polished after reading them

thanks man !

suggestions for selling licensed python programs?

Basically you need to obfuscate your code because it's dangerous to give source code

obfuscate + turn into exe?

generate some license thing on server side and have client exe who bought a license code have that tie to their machine ID in server DB and require that validation in order to run the program?

Yeah, something like that

I am not familiar with this topic but afaik it would be nice to compile license into final binary

All depends on your needs and requirements

In my company license file is next to binary iirc

i haven't implemented it yet so just kinda lookin around at ideas

Do you allow to run your code offline or not? Is it required to connect with license server?

the program itself is for an online application so i guess it'd make sense to require it to be online

if it's for an online application you could not worry about the client program and just do auth/payment checking online

e.g. playing an online game, it doesn't really need to do any drm locally because if you log in with an account that doesnt own the game it just wont let you play

https://cryptolens.io/2019/01/python-code-for-software-licensing/ was looking at this

i don't think people will want to register for my thing

i think that might detract from potential customer base

it's an accessibility tool

Can you write a little about your product? It's hard to think about nice solution without any details

trying not to say too much but it's like helping people with tendon issues or visual difficulties with an application that could be difficult if they have them but it' snot exactly like a super novel enormous project its a small thing

parts of which are probably already readily available and free

so that's why i think like having a lot of red tape to getting into the process of using it wouldn't really work for consumers

I am not asking about deep details but you can think about answer for those simple questions:

• Do your program can work like *-as-a-service? (Can you deploy your program to be cloud-like?)
• Should your program works offline?
• What to do when you lost connection during work?
• Do your users have accounts or you prefer file-like licenses?

it's strictly online

or rather would only be used while the person is online

seems like file-like licenses would be good? it's a python program in its current state

Do your program perform long time computations? Do you need IO operations?

well it's accessibility so it works with the screen mouse and keyboard

and is constantly running

Maybe it's easier to create web application?

i'm not really sure all the stuff i implemented is in python lol

with like winapis and stuff

I understand but maybe more suitable form will be web application Hard to say without details, you must answer this question on your own

Creating file-based licenses is non-trivial task from my point of view (if you want to make it secure)

i see...

so the idea i had above like is just very much underestimating the actual difficulty?

user purchases license key, they claim it through the app locally where it connects to server, registers their machine id with the license key, stores the pair in a DB, and passes over a token for them to match with in order to run the app

How do you get machine id? Is it something like fingerprint or what?

serial numbers in the registry i believe

This is extra question because I am just curious about that 👍

Basically you can generate some certificate-like file which allows program to work

Or even make a simple hash from random salt, license key and machine id, save it somewhere and compare when user will try to launch a program

Hide salt somewhere on a server side and require from user calculated hash, license key and machine id (or even without license key, you can store pair (license key, machine id) in DB)

is a hash and salt needed if it's tied to the machine ID?

Hmm, right. Technically not

i think this can go here? is there a way (maybe cross-platform or at least on windows) to monitor when files get opened by any running application? like if notepad.exe opened a file called my_text_file.txt, the program could detect that and display notepad.exe opened my_text_file.txt? sorry if this is a stupid question, i'm not a security person at all and i don't know where to start

sounds illegal

https://superuser.com/questions/48498/which-files-are-opened-by-a-specific-application

What? How?

just reminded me of keylogging or something

i sent a link that might b helpful anyway cuz it was just an idle thought

Is this the channel for asking about executables?

Like I have a python project that depends on a few libraries and what not but if I want to share this with my friend who is like

technologically illiterate

he just wants an installer that's just gonna work

Is there a popular guide for that kind of thing?

Auto PI to Exe

there's probably quite a lot of guides out there on how to use pyinstaller, which is probably what you want

Pyinstaller

It's the best

pyinstaller main.py

It will generate the exe.
If you want it in a single file

pyinstaller --onefile main.py

If you want windowed
pyinstaller --windowed --onefile main.py

You can read the doc.

Has anyone used scapy before

Yep

asking your question first is probably a better way to get help though

I am trying to save the packets sniffed to a file do u know have or save the session

I have tried many things

@quick osprey does that account for all the files main.py imports?

Yepsy

It compiles all of them

and turns into exe so they dont needa install python or ne of its dependencies?

so how do i bundle all this stuff up into like an MSI

i'm geussing there is just a tool for that too or something

Hi,
I used to poetry to set up a virtual environment. The depedency solver found openpyxl==3.0.8 and installed it

however that version is gone now from PyPI, but installed locally

and I cant get any info on this

any idea what could have happened?

Interesting, you can use source code https://foss.heptapod.net/openpyxl/openpyxl

https://openpyxl.readthedocs.io/en/stable/changes.html

according to this it was released this month

thanks, I created an issue asking what happened

https://foss.heptapod.net/openpyxl/openpyxl/-/issues/1747

tl;dr 3.0.8 contained changes that werent meant to be in there, so it got removed

problem solved

🎉

How do I turn an exe directory (build/dist) etc from pyinstaller into just a single like MSI installer that I can distribute to people?

I am not quite sure that this question meet the scope of this channel

Securing code against hacking through techniques such as data sanitization and encryption, and protecting yourself and your devices.

ah okay my bad

that'd be devops right

now im very new to doing anything user related, do i even need to encrypt data on a GUI app? How can the backend be accessed(desktop not webapp)

You don't need to encrypt non-sensitive informations (like program configuration)

the answers in a quiz app

Depends on questions lol

I mean like is it even possible to access said info?

Generally I don't think that you need to encrypt it

they r interacting with the gui only so how wud they even access this info?

When you store answers in some file then you don't even need a program to read the data

alr. So if all data is stored inside the program(No CSV,excel sheet...etc) this data cant be accessed?. Thanks for the help!

In memory (RAM)?

Hmm, technically it's possible to access to it

I am not an expert in that area

thanks for helpin

https://giphy.com/gifs/memecandy-jUEuQU7RGyYsdnXHvF

idk where else to ask, but I need some advice about how to use Casbin
My case: I have multiple companies, each with its own role hierarchy. I don't want admins from one company to be able to edit another one
Do I have to create separate policies/groups for each company and each user?

Hey @coarse cedar!

hey could i talk to a cyber secuirty professional pls

What do you need?

Interesting, never heard about Casbin I will ask my friend, maybe he used something similar before

Much appreciated

i have thought using a rat for ethical purposes

but my may concern is that i accidentally rat myself

i have been looking into these to rat software from github

like powershell-RAT and thefatRat

!rule 5

Basically talking about hacking is prohibited here

oh

but its ethical hacking

Regardless who you are - blackhat, whitehat, trollhat...

alright

fair point i will go to another discord server for my answer

rules are rules

Exactly 🙂

Whenever you use ssh to connect to a new remote machine it will tell you a fingerprint or public key/cert? But how do you know that server and fingerprint is correct?

I have also wondered about this

https://www.phcomp.co.uk/Tutorials/Unix-And-Linux/ssh-check-server-fingerprint.html

oh cool thanks

there was a cafe with no password on their wifi

i was scared of MitM stuff

like i didnt know how to tell them they should add a password to their wifi without sounding like a jerk

so i didnt say anything

Imagine all the damage a packet sniffer could do

but if the password is publicly available a potential attacker could, ya know, just use it......

uhh if the data is passing over an encrypted communication channel theres not much damage you can do. People always seem to overestimate how damaging packet sniffers are (OMG you need NoRdVPn sCaRY PaCKEt SnIFFeR). Unsecured wifi does not equal unsecured communication channels. Furthermore even if you were being Mitm with an arp cache poisoning attack the data is still encrypted none of that really changes.

the most you can do is maybe view source and destination IPs but who really cares about that

You say that like decrypting WiFi traffic can't happen at all.

sure it can but its highly improbable

Hi, I get a PDF uploaded to a webserver - can I easily, somehow, check that it's a safe to open/parse actual PDF file?

if you have well implemented TLS for example your not touching any of the data there

Also I want to extract some info from the document so any libs on that would be nice to know. The structure is quite fixed

try it yourself tell me if your scary wireshark packet sniffer can pick up and allow you to brute force HTTPS POST creds

I'm just saying, if someone captured some packets and has all the time to play around with the trace, all it takes is time to do some harm

no they cant

if your using proper TLS

No they cant

ever heard of diffie hellman key exchange?

technically true, but it's a lot of bloody time 😆

its designed specifically to allow for key exchange over unsecured networks

TLS implements it it was made to prevent MITM

unless your telling me youve discovered an algorithmic flaw with the RNG nonces in TLS or your telling me youve found a cryptographic flaw in the diffie hellman exchange algo you arent touching jack shit I dont care how coked up you are on kali linux or john the ripper

hi

i cant speak it in vc

<@&267628507062992896>

did that really require you to ping every admin

Read the info in #voice-verification

Can i Talk

oahhhhh

Looks like this question is more suitable for #community-meta instead of #cybersecurity

#bot-commands

Has anyone heard about "Android/Trojan.Dropper.Agent"?

I deleted File that yesterday with the help from eset antivirus but idk if I should change ALL my passwords

Thx

It's a fuss but better safe than sorry I guess

How do I make ban command?

Ban and kick command?

Oh wait no I'm talking about disc.py, i might be in the wrong server

Hi

I have make a website

You can upload image on this site

how to check if there are not code in the image ?

I already check the extension of file

if os.path.splitext(request.POST.get('avatar'))[1] not in ['.png', '.jpeg']:
        return HttpResponse(f"Not valid image, use jpeg or png instead of {os.path.splitext(request.POST.get('avatar'))[1]}.")```

But it is possible to send php code in image

there is no simple way to identify if a file contains a virus in python, as there is a special software called anti-virus that is supposed to perform this difficult task

what websites usually do is remove all the extra metadata (optional information) from the provided (by user) image, so the only thing left in the file is just raw image which should be safe to store

https://stackoverflow.com/a/19787239

one example for reference

More #discord-bots

hello guys, i am a new . can anyone help me. the question is ( how i need learn python for cyber security and pentesting? any books? web ?

first learn the basic python first and then go in the advance part https://www.google.co.in/books/edition/Mastering_Python_for_Networking_and_Secu/4vxwDwAAQBAJ?hl=en&gbpv=1&dq=cyber+security+for+python&printsec=frontcover (this book might help)

Hi everyone I'm trying to learn a bit more about networking and security and I have a few different questions for one when sending sensitive info like passwords I should encrypt them using receivers public key so that they're private key can be used to decrypt the data

now from my understanding private and public keys change so I would always exchange public keys when establishing a connection and then use those keys for the duration of that connection

my question is would it be more secure to generate new keys for every single message and exchange those keys before sending the messages?

this way if an encryption is broken at any point only a single message will be compromised instead of every single message sent during the session

I would also not need to store the keys although it would introduce more latency since I would need to ask for a new key for every single message

another question relating to this is also how should I store this encrypted data

since the keys are constantly changing I cant use them to store the data since as soon as it changes I will be unable to access the data anymore so I assume It makes sense to have a specific key for storage encryption that doesn't change

however that also means if that encryption is cracked at any point my database is compromised

so should I periodically change the keys and update the encryption (if thats even possible)

and should I also use multiple keys for my encryption so that if one is compromised only a small portion of the data is leaked

nvm you can ignore the second part about storing passwords since I forgot that I should store a hash not the encrypted password so this part doesnt matter

anyone know how to make a symmetric Encryption in Python and the program takes as input from the keyboard a plaintext message and encrypts the message using either AES or 3DES encryption. The program automatically generates the necessary key, and outputs the corresponding ciphertext on the screen along with its decryption back to the original plaintext and the key used for encryption.

Where can I upload a file so that when I open the link it will download immediately without pressing anything?
please

just get to the mainn file location

eg: if u click download button it will fetch some kinda link lile https://download.com/softwares/downloadme.py

but instead if u go to the link it will direct download the file
https://download.com/softwares/downloadme.py

I am afraid that it's not possible

It's better to have same pair of public/private key (exchanging can be non trivial) and generate symmetric key, then encrypt symmetric key with public key and data with symmetric key (it's hybrid encryption scheme)

Do you need to implement AES or DES on your own or use existing library?

I assume in this case I have to add more logic to check when the keys change updating the keys when this happens

also do you know of any good resources to learn a bit more about how I could implement this kind of system using sockets?

You can store data in the following way

+---------------+----------------+
| ENCRYPTED KEY | ENCRYPTED DATA |
+---------------+----------------+

one of the reasons I asked about sending new keys every time is because It seems easier to implement btw

You can check pins on #networks since network communication is out of scope here

To guarantee the security you should be able to verify public key to prevent Man-in-the-Middle attack

So the easiest way is to manually copy public key instead of generating and exchanging it

but couldnt this still happen if someone else has the public key?

Basically imagine that you are A and there is B person who sends you a public key. How do you verify that the key is from B? It can be from another side like C and you cannot distinguish raw public key from B person and C person when it is generated every time when the connection occurs

yeah I hadnt thought of that lol

but couldnt an attacker still intercept the public key when its being sent?

but the public key doesn't allow them to read the conversation

generally mitm for asymmetric encryption involves posing as a client to the server, and as the server to the victim

The idea of asymmetric cryptography is to allow everyone to encrypt data with your public key and then only you can decrypt it with your private one

This is why you need to store securely your private key

ahh so I could still have the issue with data being written by an attacker but they wont be able to read any data?

so you send the victim your own public key, decrypt what they send and read it, then send it on to the server after encrypting it with the server's public key

Read Example on Wikipedia: https://en.wikipedia.org/wiki/Man-in-the-middle_attack#Example

how would i protect against this?

Or use certificates

It's better option but you need to create your own CA

I dont see how that protects against this though

Then certificate contains data about the owner of the key so you can verify it

couldnt a certificate be forged though or is there some other system to prevent that

You need to have access to CA's private key to make a fake certificate

It's not easy when you store your CA files securely (like on offline system)

the way to defend against it is to have some way of knowing whether a public key is 'good', if you have a list of trusted public keys built into the computer then you can check it against those

or in the case of a certificate authority the public key you get sent could be signed with one of those

so you have a chain of trust and you know that public key was issued by a reputable source

alternatively you can pin certificates, e.g. mobile apps often know the public key of the server in advance to stop people doing a man in the middle

I see how this works for preventing data being read from the server

but I dont see how it prevents someone from writing to the server when posing as a client

there also seems to be a lot more going on here than I initially thought lol

yeah it doesn't

all that public key encryption guarantees is that only whoever sends you that public key can read what you send them

assuming they have the corresponding private key

You can require client certificate during connection

so you don't necessarily know whether that's the 'right' public key (or that they are who they say they are), and they don't necessarily know who you are

hmm do you know some resources that go into secure communications covering all of this?

it doesnt have to cover implementation I just need to understand how everything works and the potential attacks it defends against/ doesnt defend against

I don't know any books or videos about that but you can read how SSL works (both server verification and client verification) and setup simple server to see how it's working in real life

how did you learn about security?

uni or just picked things up over time?

I earned core knowledge about cryptography from my studies however those things like setting up server with SSL or system hardening and so on I learnt from online blogs and personal experiments

fair thx for all the info 🙂

You're welcome! Feel free to ask your questions here anytime you need!

any idea on how i can make a flexible script to automatically secure a database connector?

What do you mean?

its just an idea i have, so theres a function i can call whenever i want to secure a database connection? something in those lines

Which database are you using? For example PostgreSQL has the following page on docs https://www.postgresql.org/docs/9.3/ssl-tcp.html

the database isnt set yet, but can i use ssl to secure a connection?

As you can see it's possible. There is also option to connect via SSH iirc

so lets say i have 5 databases getting added every day, can i just write a function and pass the specific parameters to the function and the function automatically secures the connection so it cant be exploited

If I understand it correctly - yes

so what type of security would i use?

Check https://www.postgresql.org/docs/9.3/ssh-tunnels.html - you can use SSH tunnel so write the simple bash script (or you can use Python library to do that)

appreciate the help

anyone know how to solve a text Steganography?

What do you mean?

finding a a hidden message in a text

Do you have any knowledge about algorithm?

not really im doing research

You can try to search for known algorithms and adapt it to your problem

I never heard about any (steganography algorithms which hide data in text)

okay thx

steg is just guess godding until you find the exact tool that the author used

Working on a Django project and I'd like to hash some information to be verified by another process that has all the same access Django does. Looking at Django's internal source, it's computing a salted HMAC of the user password for session keys. Would it be safe for my use case to compute a salted HMAC of the Django secret key salted with a nonce that I send with the transaction?

Which hash function is used for HMAC?

sha256

I was thinking to use sha224 since it's more lossy, right?

SHA-2 224 is the same algorithm like for SHA-2 256 but gives less bits in output

iirc

I think that salted HMAC would be okay in that usage

Hello everyone. I was playing with the Pytube module to download youtube videos and everything worked fine with my script. Then I had the wonderful idea of making my script an executable, so I could run it quicker. I installed the pyinstaller module and followed some instructions I found on Stackoverflow to create the exe file. After finally creating the file I ran it and instantly Windows Defenders tells my that I caught a Trojan:Script/Sabsik.TE.A!ml virus. Should I be concerned? What can I do?

!ytdl

My only concern with this is if someone were to try and brute force a captured token, given knowledge of its composition. They could then run a brute force attack to gain the secret key because all other inputs are known. I guess the only real solution to this is to have a very high entropy secret key, though?

Basically (almost) every algorithm can be broken by brute-force attack (so very often is used to benchmark how the algorithm is secure)

If you are afraid about this then use SHA-2 512 instead of 256

It uses bigger internal state and gives more bits at output so it gives less chance to guess the input

That could work - part of me is wondering if I should be using some kind of PAKE or something rather than this, but I don't really know.

However keep notice that there can be many inputs that gives same output

You can think about some kind of protocol to exchange data between processes but all depends on your requirements

Sometimes simple solution is good enough

Currently my HMAC is computed against a timestamp, a command name, a target name, and the Django secret. I'm currently adding a nonce for use as salt. The timestamp is used to ensure each token is only valid for some number of seconds. This is for authorizing commands to a gRPC server.

I can look into it later - it's 1 am here

Thanks for all the input already! 🙂 Don't let my endless musings keep you here.

You can write a little description what do you have or what do you want to achieve and maybe someone else will look into it 😉

You're welcome! Good night then! 😴

The length of hash isn't important aspect. It's how long the hash takes to compute.

The bits of input matter, though, right?

(on that note, how many chars for salt? is 32 a crazy number?)

Fully random salt you don't need that many as long has you have a good algorithm and password policy.

well, using Django secret rather than password but same principle applies

The other inputs to the HMAC are essentially no entropy, so my thinking was that the nonce + secret will carry the burden of providing input entropy... or is my thinking outdated?

I'm not sure what you are trying to do.

I have an RPC server that accepts commands. It's got no auth mechanism. I'm extending the protocol to provide authorization for commands.

This should allow me to safely decouple the daemon in my project from the web interface in my project, they will just need a pre-shared key.

(I will add TLS at some point, too)

I don't know much about this but I think it would make sense to use existing methods to authenticate and provide security rather than implementing it yourself.

I'm totally open to that. I'm using gRPC to define the protocol, and it doesn't seem to have any authentication methods to use for pre-shared keys.

https://grpc.io/docs/guides/auth/

They are adamant the "g" doesn't stand for "Google" but then you see things like this 🤣

I think you can just use TLS but supplying your own private cert/key

Certainly that would be one layer of security. I think that only authenticates the server to the client, though, and not the other way around, right?

So I would still have to decide what clients I can trust. The obvious way to me is proving access to shared secrets, but I'm definitely interested in exploring more robust options.

A friend just reminded me about quantum computing threats. I have to start over now. 😄

What does quantum computing have to do with this. Just try to pick good ciphers for TLS and such.

Oh I have a terrible surprise for you

Here's a blurb from Micro$oft after they did some study on the subject https://cloudblogs.microsoft.com/quantum/2018/05/02/the-quantum-computing-effect-on-public-key-encryption/

isnt this still theoretical

less so all the time, but yes probably for now

the algorithms aren't theoretical we just need a computer capable of running them, but it seems like Google at least is quite close

by definition, if they're just algorithms rn, then they're theoretical

I'm confused are you afraid Google is going to break in and use your server?

of course that may change in the future

but still theoretical as of right now

I'm not afraid that Google is going to break in to my server. My concern is that I'll probably deploy this project at work, and if I ever leave it'll probably sit there and chug along until it either breaks or something dramatically changes. So ideally I'd like to do whatever I can to make sure it'll be secure 10-15 years from now.

This is why I noticed that SHA-2 512 used longer internal state - despite of this I cannot agree that output length is not an important aspect

16 bytes of salt is good enough, 32 is okay too

Forget about quantum computing, it will take years (or even decades) to be popular and available for normal people (like not gov, military, academic researchers and so on)

Basically security is a process so you cannot setup something, left it for 10 years and be sure that it will be secure for all this time

It probably won't work

Oh I'm certain it won't work, but it's perhaps a reason to at least use stronger-than-required parameters to give it a fighting chance. 🙂

When you want to be quantum-resistant you should take a look at lattice-based cryptography

It's the only proved scheme which is quantum resistant iirc

I see that there are a lot of quantum-related articles on IACR

In the context of hashing for passwords to protect against brute force, you want much slower hashing functions. Just going to SHA-2 512 isn't enough for most applications.

This may involve running faster hashing algorithms x many times etc.

You notice when you try to enter password on many systems and you get it wrong they enforce an additional delay as well.

Example: https://en.m.wikipedia.org/wiki/Bcrypt

Yeah sha2 is too fast

bcrypt scrypt or argon2 for pwds

Running a Django app on py 2.7.x now all of a sudden getting this error:

SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
my domain certs are all up-to-date.

I use LetsEncrypt to issue certs

hi

The largest DDoS attack in history happened this year against a Russian tech company. Hackers were able to use a 2018 exploit that some modems had to build a botnet and launch the attack. The botnet was able to generate around 22 million requests per second.

a

As far as I remember we were speaking about hashing secrets, not passwords directly. I understand that password hashing requires a little different traits of hash function

It's different topic than hash output length which is non negligible and you should use algorithms with big enough internal state and longer output

Try to update your system

Hey... So i am using a wpa2 enabled wifi and my neighbour above(a kid) who is learning cybersec... He knows what i am doing realated to the internet... Does this mean he knows the WiFi password? ping me back

What do you mean by he knows what I am doing He knows the sites and so on?

The other day he was like called me when I was listening to spotify and asked if i was listening to songs...

Check on your router or any other network device connected devices

Block any device that isn't yours

Change password

how to do that 🥲 ?

Idk what device do you have

I kind of changed password a month or 2 ago

having a pc now

Network device

you mean the modem?

Yeah

my bad

No problem, don't worry

I have a 10digit long pwd with too many symbols, so it should be impossible for him to bruteforce

and today, he just did a deauth attack, and created his own open network
When i connected, it opened a new tab in internet asking for pwd... since I knew it was him i just typed "I know its you(insert name)"... then 20 seconds later, the open network vanished and so did the tab

We have to login into the router homepage and then change?

Do you have your password on a paper or something? Like attached to your freezer so there is possible to see the password by the window?

ummm...no

Maybe you have virus on your computer

I am actually living in an apartment, so he is on top of me

hmmm

Do you have any antivirus software?

avg

He is just a 9th grader learning this stuff online

I am using MalwareBytes, you can download Kaspersky too and scan your device

oh..k

Since this is a Python discord, is it allowed to ask questions about Wireshark? I will use python with it, but right know I'm having issues identifying video streams, so it might be off-topic

Is it security related? Maybe more #networks?

Only thing security wise is that it's encrypted and the name of the protocols change, for example, RTP (Real Time Protocol) turns into RTSP (Real Time Secure Protocol), but I don't know all the name used in video-streaming protocols. The main issue being that most of the documentation is outdated. I have no concern in decrypting but I want to get most info from the communication itself. So a bit of Intelligence on it too.

I'll ask in Networking. Thanks man @lapis radish

i know this is not python.. but please help me... what is persistence in a live usb and how to set it up?

and how to use it?

pls ping me

You're welcome 👍 When it's network-security related you can ask here as well

Hello

I have asked a question regarding python 2 to python 3 code conversion maybe 6 months or a year ago

I needed help regarding that because I was stuck in a problem which was of the python 3.9 version

So now there's a new version of python so maybe that problem went away

The problem was about the netfilterqueue package

Anyone knows anything about that?

I worked few years ago with that lib

What's up?

I don't actually remember but I was facing a problem converting a python 2 code which was of a dns spoofing to python 3

And it was providing errors

About the c liberary

Waittt letme grab the code

From somewhere... It was almost about a year ago

M

My code is < 2000 words so I can't upload it here

Why you put str when error says that you need to put bytes?

Is this your code?

!paste

Done

Yeah I also tried it at that time but it was giving another error

Paste link

https://paste.pythondiscord.com/goqabehijo.py

What error?

Sorry, I don't actually remember it
Could you just try and run it? To check the error

I cannot, I see some calls with iptables, I don't want to clean the mess after execution

https://github.com/Avishdhirawat0/Ethical-Hacking-Python/blob/master/dns_spoof.py

Check here it's updated

Ohh okay... Let me try it again... I'll get back to you once done

Also I am not sure but spoofing is against rule 5

!rule 5

Hi I need help with this

This activity

And I have this website

I don’t know what value to put for left middle and right initial rotor value

I also do not know what to put for the plugboard.

Thank you 😀😀😀😀

Like what even is a left middle and right initial rotor value

so my neigbour tried using fluxion on me to get my wifi password but failed... Is there any other method for me to hack his password for payback? Ping me pls.. I know its not really ethical, but he started this...

There is a really good way

Really??

yeah

Dm?

I'll put it here

K

Basically when you see your neighbor

beat him up

1, 2, KO

Wow...

this is not a great place to ask about hacking your neighbor...

there are actually resources online though

Oooh..

It's not really about hacking... It's more about how to keep me safe from he hacker next door

But i get it...

Can someone tell me if fluxion is the same as evil twin attack. Ping me pls

Hi !

I want to script my own tools for infosec ... Im torn between Python and ruby ?

I know I'm asking this in a python discord channel 😋 ..

Just trying to understand which. Would suit better for security tools

!rule 5

Understood

Thx and sry

@lapis radish

Generally you can write tools in any language which supports I/O and network operations so it can be Python, it can be Ruby, it can be any shell
Pick what you want

Report it to police

Fyi there aren't really any proper cyberlaws in my country (india)

And they won't even respond to such petty things.. that's how our police are😒

Sad to hear that but you rather should make your network stronger instead of hacking the attacker

evil twin it's eternal?

building a personal firewall is pretty fun too

though a tad tedious

It's a legit course... Learning Ethical Hacking, A udemy course

Hmmm.. will look into it

Hello everyone I had an idea for an app where I would let people write bots and the bots can compete against each other or players who want to challenge them

issue is for this to work the way I want I need to allow for remote code execution

and specifically I also want them to be allowed to send in whole folders of code + companion scripts/files that they might need for the code to run correctly

is there any way I can do this without introducing vulnerabilities to my server?

somehow you must verify the user code is not acting bad, with dynamic languages is hard to check

yeah thats the issue I was thinking of maybe running their code on a virtual machine same way I get my server as a virtual machine

I want the users to be able to run literally anything that they might need to make it work no matter the language or dependencies

I also thought about having the users run their own bots locally, but the issue here is that I have no way of ensuring that they keep their bots running for other users

and I also wouldnt be able to get the code they used to write the bot this is the bigger issue for me tbh since I want others to see and learn from what they wrote

anyone good with selenium?

does someone here know something about wireshark?

or decoding tcp stream?

hmu

okay bois

i have a serious doubt

how tf do u remove spotify ads without buying premium like legitimately

!rule 5

I think that breaches TOS my friend

how do I use the youtube API
with python
to make a youtube video one like higher
thats what I meant
so how do I do it?

!rule 5

making a like bot probably also breaches TOS lol

Whats TOS?

terms of service

I just want to learn how to use the youtube api

with python

https://developers.google.com/youtube/v3/getting-started

I already tried that website

is there anywhere else

It didnt help me

no idea search it up either way this probably isnt the best channel for that

this channel is for security questions

then which channel should I use?

im just here tryna listen to music without havin ads about removing ads

maybe networking? or just get a help channel #❓｜how-to-get-help

I tried how to get help

yeah I dont think spotify wants that unless you pay for premium

yeah they have made that abundantly clear

basically rule 5 means you cant get any help for that here (as in this server)

ohhhhhhhh

i see

what u r tryna say

u naughty minx

https://tenor.com/view/naughty-dog-naughty-dog-he-knows-smirk-gif-17855811

it depends on what effect the code will have on the overall game. If there is a limitation on what the user can do in terms of their bot, you can consider creating your own small scripting language where you control what goes in? If the code is dynamically interpreteted it will get harder to run the code in some kind of sandbox, unless you're just expecting some return value

I thought of this but I want there to be no limitations whatsoever

Ideally if I can run some kind of container where their code doesnt effect anything other than that container like a vm it would be perfect

since I'm gona have their code run through sockets anyway it doesnt need to have any access to anything

so basically python scripts competing against each other?

could be any language

then it would probably be the best to assign every game instance to its own sandbox (container)

but how does it work if all languages are supported exactly?

the only thing I'm worried about is if this still causes issues since I heard that if a virus is aware that your running it in a vm it can still cause issues

I will write some documentation for how people should write the code and probably ask that everyone adds a docker container to account for the dependencies then I will run the appropriate commands through some other script

yeah but like the game overall, it would mean that every game should only have one language at the time?

I'm thinking I will write templates for some langauges like python and JS and for other languages the user should figure it out themselves

nope

so its not really dependent on the server

more like a p2p thing

yup let me explain some more

https://murtada58.github.io/websockets_tic_tac_toe/

have a look at this

the client communicates with the server using websockets sending it commands

if a language has the websocket protocol implemented it can communicate with the server

the idea is that I will have people write programs to play the games and do this but I will run them instead of letting them run them

so more like the people create the games

nah I make the games

they just write programs to play the games

competing against each other

whether they choose to do it by using certain algorithms or neural networks etc its all fair game

I just want it to be as flexible as possible

hm, so all the input from the clients will only be the code? after that the server decides the winner

the only reasons I want to run it myself is 1 so that I have access to the code 2 so I can ensure that its always up for others to play against

not sure what you mean but you can think of it like this users can only send inputs ie move up move left

and the games will be played out normally

ah right

so its all live

yup

all networked

but what would be an example of a game which u would create based on this? if users can send whole scripts and not commands then what stops them from abusing the game (if thats even possible)

the whole point is they cant abuse it since the game will be programmed with this in mind

so they can only send updates that make sense for the games rules

for example what I sent is a game of tic tac toe

the users can only affect the board on their turn by sending a number corresponding to the cell they want to update

if they send invalid inputs or it times out (lets say it took over 10seconds to repsond) I will say their code doesnt work and let them know

yeah it makes more sense now. Although for tic tac toe you wouldnt need the code to affect the server directly? You could use the return value of the script (with a set timeout) and then use that return-value to affect the board

not sure what you mean

if your saying I can do this client side then no because that code can be affected by the users

all checks will be done server side

pos_x, pos_y = execute_client_script_safe(...)
validate(pos_x, pos_y)
affect_board(pos_x, pos_y)

well it wont be like this

its hard to explain how the code is gona work lol

but basically it just sends json to my server and the server does what it needs to based on the json it gets back

and then replies back with its own json to update the game

ngl I wasnt planning on giving out this much info lol

but yeah back to the issue at hand i need some way to execute the code they sent without compromising my server system

if you need the client scripts to be able to modify the game directly then you should put each game in its own sandbox and isolate them from the rest. If you only need the return value of a client script, e.g the return value of a function which the client provide, then you should only need to isolate the client script itself and execute the function in the sandbox, and use the return value in the server

I just need the return value

there are proper ways to isolate code, in your case games, without harming the rest. one example is how this server handles eval

so yeah i guess my question is how can I isolate the client scripts in a sandbox

then you should only need to run the client scrip in an isolated environment, and not the whole game

I suggest you look into how this server handles !eval

(using docker containers)

idk I heard eval is a security risk in itself

there may be other solutions out there, I'm not too familiar with them, but something like "codejail" or some other sandbox

yes running eval directly is definitely a security issue

but you would isolate the script

ohh I think codejail might be just what I'm looking for

yeah codejail looks good, I also think pypy has its own sandbox thingy

can I control the amount of resources allocated to the codejail as well?

I assume thats possibe, alternatively you can also consider mixing codejail with docker container in which you can allocate only a specific amount

and just to confirm do you think codejail will walk work any language?

it says its specifically for python but can work with others just dont know if theres a catch

why is no one helping me

<@&831776746206265384>

inappropiate reactions

I think it just executes any code in an isolated environment, I dont know much more than that, havent used it myself, sorry

all good you've already helped me a lot this pretty much answers my question

worst case scenario I will make it just for python

thx so much for the help 🙂

no problem

!ban 793053965171687425 14d No clue what made you think that's appropriate, but it's not. Should you decide to return, keep it SFW, as per our #rules and #code-of-conduct.

:incoming_envelope: :ok_hand: applied ban to @fickle bronze until <t:1634507211:f> (13 days and 23 hours).

where are the client scripts executing? on an untrusted client?

doesnt really matter to me as long as I can control the execution pretty much

i'm thinking unless you're executing the script, not much can be done.. but the concern would be on your server, right

my current idea based on my discussion iwth awking is to just make a sandbox for each script and execute it when needed

yup

just want to make sure if someone submits malware that it doesnt affect anything

I will have some simple checks to make sure its not using too many resources and that it doesnt take too long to respond

just to be sure

people are invoking scripts, and the execution is happening on your hardware?

yup

oh i see. yeah, definitely a sandbox 😅

or three

well not my personal hardware but something like a linode for example

gotcha

preferably no internet

other way

I will communicate with them using a websocket connection

that seems ok, then

as long as they can't just initiate connections to outside

^^

not sure if its possible but i also want to limit their bandwidth so they cant just start downloading a bunch of stuff to mess with my servers internet connection

actually I could have a seperate socket server for them on localhost since they will be on the same machine anyway

but in the isolated process you would not want any internet connection

and then just cut their internet

the websocket should be on the server-side

do you think local host would still work?

since that doesnt use internet anyway

probably, i'm sure codejail handles this though

one issue now

I would need the users to write the docker containers themselves

but I need to set resource limits on the container as well

do you think I can write a script server side that modifies the container they send to add the limits?

why would the user need to create a docker container though?

because they can have different dependencies

dependecies apart from python libraries too?

btw if say they send in 2 files one in python and one in c the python one plays the game properly but also runs the c file at some point

and the c file is malware would codejail work against that?

well ideally it could literally be any kind of dependency

anything you feed to codejail should not have an effect on the server system

you could read up on apparmor if you want to understand a bit more under the hood of codejail

for now I think I will probably just limit it to a single python file and work up from there as I learn more

btw why did you ask if its just libraries?

because you could preload the sandbox with some certain libraries, making it faster. Allowing docker containers would technically allow any image, which would increase the time for the script to finish

because all external dependencies must be downloaded, in which case the sandbox also needs an Internet connection

unless the user already provides them

but you should definitely start with only a simple python file

this is just something to keep in the back of the head when extending the project

hmm rn I'm thinking they send in the docker container and their script I modify the container to include the resource limits then I run everything using codejail

you can do that too

just thought it would be ideal to maybe have a ratelimit on the client script

It shouldn't need to run for 30 minutes

as you say though actually forgot about how long it takes to spin up the container image

I could keep them running forever which would remove that issue but then they would take up resources while idling

hmm what do you think of this I make it so they can only send 1 python file using a few different predefined libraries and then I dont need docker at all

I just need to get their script and run it using codejail

I can look into extending this later as I learn more

ngl I actually havent really used docker before lol just know a bit about it

this is how im currently thinking of going about it rn based on all this

the client gets served the website from the django client

the client then makes a websocket connection

if the client is signed in or signs in the django server sends the clients credentials through the client to be sent to the websocket

the socket then authenticates the user with those credentials

if a user sends in a script it makes a sandbox for it and executes it on demand

yeah looks good.

the script will communicate with another websocket server on localhost and that server then send back this info to the main websocket server which relays it to the client

The websocket server could just be another endpoint in the Django, unless u want them to be seperate for performance reasond

tbh I only made them separate cause I dont know how to use django channels

plus I feel like having them be separate is better as the project scales

yeah its not a bad thing

lets me separate concerns since they serve different purposes anyway

its probably a good idea to make use of async websockets, and I'm sure django uses its own non async thing

(yeah, channels)

yeah no idea how that works lol I found websockets really intuitive and easy to use

hmm on modification to this actually

each game should have its own websocket server and bot websocket server

For each game you could probably create a new task in the server which is responsible for managing the sandbox and communicating with the client through a new ws connection

just to keep things a bit seperated

not sure what you mean

like you dont need the server working on all games at all times

it's just an implementation detail

Not really important to the overall design

this is what im thinking

this only shows game1 and game2 but the idea is there will be a websocket server for each game

well assuming all games could be played at the same time by different users I think I always need them running

just seperate endpoints? e.g wss://serverurl.com/games/1

yup

I also would suggest FastAPI for this

Unless you already have looked into that

nope no idea what that is

its an async web framework

It will make it easier to create this ws server

unless you planned to use something like flask w/ threads

does it just speed up my server?

I find it very easy to use and it's very fast, compared to its "rivals"

const DOMAIN =  "websockettictactoe.co.uk"
const PORT = "6789"
let websocket = new WebSocket(`wss://${DOMAIN}:${PORT}/`);

this is how the client makes the socket connection

btw my websocket server is actually just running as a single python script

how do you plan to deal with multiple ws connections and an api to connect to them though

https://github.com/murtada58/websockets_tic_tac_toe

I will just write another server for the new games and put it on a different port

Each game doesn't have to be in its own port though

actually if you will use a ws connection for each then yes

im thinking if I do it by changing ports then when I write the client pages I just have to change the ports here for each game

and boom done

async def main():
    async with websockets.serve(game, SERVER_IP, PORT, ssl=ssl_context):
        await asyncio.Future()  # run forever

this is my server side I think as long as I set the port here to be the same as the one in the client it will know which websocket server to connect to if my thinking is correct

@quasi steppe I dont quite understand what problem fastapi is solving though tbh

it could be that just becasue I dont know enough yet I dont quite understand why I might need it

btw if it makes my websocket servers faster I will def look into it since I think performance will be a huge issue as this project scales

It just depends on how you want it to be. I feel like having an api might make things easier, especially as the project gets bigger

it might be that the way im doing it isnt quite what your thinking it might not even be called an api lol

I basically just have a user send in json with an action key based on that action I do different things

thats how my api works rn

they way user connects to the games ws server is more like wss://serverurl.com:game_port

compared to wss://serverurl.com/games/1

with an api it's easier to manage state

so it allows me to replace the connection url

it just changes the overall architecture

and I wont need to worry about ports if I do this

so i could do
wss://serverurl.com/games/minesweeper

wss://serverurl.com/games/tetris

etc

yeah something like that

the api could keep all the state for all games

ok yeah that would make it easier to manage since I will probably confuse ports at some point

what do you mean by state?

isnt it just for routing?

then have an authenticated endpoint POST //serverurl.com/games/minesweeper (would create a new game and thus open a new ws con, on the returned id)

You need to keep track of all running games somewhere, no?

and whixh users are connected and whos doing what

the websocket server does that already

isnt this the ws server?

https://websockets.readthedocs.io/en/latest/intro/index.html

have a look at the browser based example

thats pretty much what im doing

yeah I think we're thinking of this differently

you can take a quick look into fastapi and just see if it works for you

whoops actually should be the Synchronization example

well I think i have all the building blocks now I will just get into it and add what I need when I need it

thanks so much for the help again really appreciate it

@quasi steppe sorry to bother you again but after having a look at fastapi I realised I can just use this instead of my django server am I thinking correctly here?

it seems to be much easier to use as well and from what I read its much more efficient as well

my only concern is security since thats why I choose django to begin with since I dont know much about security and django seems to handle most of the common vulnerabilities by default

hi

could you elaborate on what you mean by "common vulnerabilities"? There shouldnt be anything in any of these frameworks which will suddenly mess up your api on itself. Although you're right, django comes prebuilt with a loot of existing stuff so you dont have to implement for example authentication yourself, which is the case for fastapi, unless you use something like "fastapi-auth" (external libs), and, yes, you could replace it with your django-server

well it took care of CSRF, sql injection and password hashing and I was also under the assumption that it took care of some other things which I hadnt thought of or encountered yet

im still quite new to this stuff so I really dont know what I dont know lol, but looking at FastAPI it seems to be the framework I was looking for tbh very simple easy to understand and fast so I'm switch to that

might also try out a no sql database and see how that goes, any recommendations here?

fastapi doesnt come inbuilt with any database of any kind, although it offers support for sqlalchemy very easily but still I think hashing and salting and stuff like that is something the user has to do himself (through a library ofc, something like bcrypt would do).

What will you use the database for?

storing user info

for this current app I think I will mostly be dealing with unstructured data thats why im thinking nosql database like mongodb might be good (although im not sure if its free or not)

^^ was thinking of using argon2 for hashing passwords and oatuh2 for third party authentication (I want both to work for the website)

I also heard sqlalchemy protects against sql attacks so If I feel that the no sql database isnt working I might switch to postgres with sqlachemy

yeah i'd maybe go for something like postgres myself, especially for user related data, and it has easy integration with sqlalchemy

thx again for the help lol fastapi is a really big upgrade over django (didnt like it) for me

yeah its more like flask, django can be "overkill" if you're just doing something simple, thats why they're known as microframeworks

^^ might go back to django in future when I know a bit more but rn I feel like its just slowing me down, because I dont understand anything it does because of how much it does for me already, fastapi seems to do just what I want and nothing more, I have no issue writing more code if it means I understand it better

How can you decrypt this: Q1NDe3IzNGR5XzRfTDFmdF8wZmZ9?

looks like base64

oooh thanks man

Any tips for beginners?

What kind of tips?

Like, how to start

Any specific editors you would recommend or something

is this also base64: e6078b9b1aac915d11b9fd59791030bf?

I would believe that must be 32

Base 64 is caps lock

Or, most of it is

I would guess on base32

Yea nvm

This looks like hash

Any tips to how to get started. Any specific editors you would recommend or something alike

With development? I don't understand what do you mean

With security

Like, any tips for how to get started about security

Start with learning basic concepts like what is hash algorithm, what is cipher etc.

Any specific programs, editors I should download?

You can pick your favourite, I am using PyCharm, others prefer Sublime, VS Code or even vim

So PyCharm would work with no problem?

Awesome

@lapis radish there is no chance that you could give me some tips on how to begin at game developer?

Yeah, I know i could watch YouTube but like, is there anything you wanted to know when you started but didn't before later?

If that even make sense

This is out of scope of this channel (and I don't know nothing about it btw) so you should ask on #game-development

Ye sorry

Hey, I have ralink rt5370 wifi adapter, I tried configuring it to kali in vbox, ifconfig and iwconfig show wlan0 but , the adapter shows no visbke networks neither in monitor nor managed mode

Pls help me... Ping me

guys what if i copy and paste a nitro clickbait in incognito mode?

i didnt log in my discord account in incognito

so will anything happen to my laptop or account?

i changed my password after that

btw

Probably nothing happens

so nothing gonna happen?

Yeah, edited my message

Anyway, you should scan your OS with some antivirus software

i scanned with kaspersky

and it says my laptop is safe

should i trust it

Yep, imho

ok ty

@lapis radishbtw is khan academy a good place to start learning programming

Never used it but you can try it

iirc khan's tutorials are out of date

still on es5 or something

bruh what does es5 mean

(for js)

Javascript v2005 or so

oh

unless they changed it recently

i see that the comments are recent

not sure about the content tho

alright just checked

they're still teaching es5

oh lol

btw is javascript the easiest to learn?

Nope, Python is easier in my opinion

JavaScript can be confusing

oh

I second this opinion

js has a lot of legacy quirks (eg weak typing)

i think im gonna try both thx for yall opinion

Python is a lot easier than JS.

what is the best way to create venv file for each project in vs code

coz pycharm just creates it automatically

#editors-ides @surreal canopy

ok

I'm looking into authentication with fastapi and I'm thinking of using JWTs but I dont understand quite how it works,
1 user sends credentials and requests token

2 credentials are verified and JWT token is created with some info from user data like id or username, and a secret

3 user receives token and uses it with every request requiring authentication

4 when user uses token in a request its decoded using the secret, this returns either the payload(info used to generate the token) if successful or none if secret is wrong

5 if payload successful use it to return the requested data, otherwise return an authentication error

my question is about the secret, is it what enables all this to work?

and if so do I use 1 universal secret for all my users or do I generate a new secret for each token and save it with the user data to be used

and to my understand the payload is accessible to everyone so I can use it to query the database for the secret when checking the token without decoding it first, so that I dont need to send username or something like that?

I don't know if this should be in this channel but does someone know, how I can protect my app with a licensing function? (Should be free)

hey how can I use an api key in the code for a website without leakings?

Can you provide some details?

It strongly depends on your application. You can for example provide license key and require internet connection (deploy your app more like SaaS)

such as working with youtube api

I still know nothing about your application.. Do you want to provide key on frontend or store it on backend?

don't put your config files inside the web root

pass them in an environment var is a pretty common way I think

i just want to secure it

so that noone can find it in the web

Hey friends, here's a bit of Python that generates random strings of an integer length, useful for password generation.

https://github.com/jcwii/random-strings-of-length/blob/main/random-strings-of-length.py

edit: hyperlink edit

!code

Paste it like that if you want to allow someone to use your code

Sorry, but I don't understand

Also, use raw string to store special characters

!e

print('~`! @#$%^&*()_-+={[}]|\:;"\'<,>.?/')
print(r'~`! @#$%^&*()_-+={[}]|\:;"\'<,>.?/')

@lapis radish :white_check_mark: Your eval job has completed with return code 0.

001 | ~`! @#$%^&*()_-+={[}]|\:;"'<,>.?/
002 | ~`! @#$%^&*()_-+={[}]|\:;"\'<,>.?/

Do you see the difference?

Also - I am not big fan of GNU license

?

https://github.com/jcwii/random-strings-of-length/blob/main/LICENSE

What's the advantage?

Compare results
#cybersecurity message

And yes, why are you not a big fan?

I don't follow.

Because when I use your code I need to use same license

Which license do you use?

There is missing \ character in string

Because \ is used to escape (like \n to create newline)

I prefer MIT but you can read about popular ones and pick your favourite

The second case (002) shows what's represented, with a backslash.

You're suggesting another backslash where?

@uneven island you can think about some kind of generator which is based on Markov chains (potentially can create more memorable strings)

Look at the output of the following command

!e

print('~`! @#$%^&*()_-+={[}]|\:;"\'<,>.?/')  # normal string, you are loosing \ character
print(r'~`! @#$%^&*()_-+={[}]|\:;"\'<,>.?/')  # raw string where \ character appears

@lapis radish :white_check_mark: Your eval job has completed with return code 0.

001 | ~`! @#$%^&*()_-+={[}]|\:;"'<,>.?/
002 | ~`! @#$%^&*()_-+={[}]|\:;"\'<,>.?/

I added comments

So imho you should add \ character into the set of possible characters by using r"..." instead of "..."

But it's your choice, if you don't want to attach \ then you can omit it

Oh

Sorry

The second eval job prints a backslash twice.

My mistake, lol

Yeah, you are right

No worries. The second backslash is used to escape.

Sorry, I am a little sleepy, it's 2:43 am

My fault 🙂

Haha all good, thank you for having a look.

Hmm, I used """...""" to store " inside

!e

print("""'"?""")