#cybersecurity

what can she do now?

And you would like to remove said software I assume?

I highly recommend Malware Bytes.

exactly

what is it?

https://www.malwarebytes.com/mwb-download

thanks!

It's an anti-virus/anti-malware solution that offers a free trial (that your friend could use to remove the PUP/trojan/rat etc.

is it a scam

yes.

ofc

Tá fáilte romhat. You're very welcome. 🙂

lol. Yeah, signature based AV is a s***-show, but it's one of the best games for end users generally.

Lol

And MB uses a TON more heuristic rules for their detections and theor remediation isn't super terrible.

lol

I am not doubting you

just how is is it compared to macafee

Imho, Malware Bytes has several advantages over using McAfee. certainly when we're talking about trials and free-tier.

It has certainly come a long way. part of what defender suffers from is that being a common denominator makes one a common target.

If Malware Bytes shipped as the default windows anti-malware solution, it would suffer under that spotlight in a similar fashion, imho.

but it isn't, so it doesn't. lol

the virus corrupted windows defender

That's a common move these days.

That may not work if the file was corrupted in a few creative ways or if there is something with persistence monitoring that service. but still solid advice. 🙂

If shadow copy backup was enabled that would be a great solution for this, but also wouldn't work if the malware is still running/persisting on that host.

I was just padding your recommendation in the event that it didn't resolve the issue. 🙂

"could totally work, but in the event that it doesn't, consider the following."

Sigh. Definitely on the short list of contingencies in the event that MB can't squash the bug. but i'd run MB just to see if that's even the situation.

by the by, what's your fav boot distro for recovery/forensics? I'm always hunting for new recommendations. 🙂

Tried and True.

I was a Knoppix fan for years.

ouch. 😅

I walked right into that one...

I'm what might be referred to as a "Geriatric Millennial". lol

If it doesn't i'm sure we'll hear about it. 🙂

Do you also work in infosec? just curious. 🙂

You never know when you'll bump into an old Con buddy or colleague

All good. Just curious. Ever hit any cons?

oh not a bother! I started pretty young (in the late 80's early 90's), I an a reverse engineer these days. 🙂

a "con" is short for "conference". Enthusiasts and professionals occasionally throw big events that span multiple days for people to give interesting talks about recent issues or new tech and there are games and enough alcohol to drown an army. lol

do you play CTFs? 🙂

CTF is short for "Capture The Flag". It's a format of game whereby the player has to leverage their favorite security TTPs in order to discover a secret string value (called a flag) that can be submitted to prove that you have completed the challenge. Does that make sense?

TTP = Tools, Techniques, Procedures

(Sorry, I work in the defense-space and you get used to using too many abbreviations willy-nilly)

If you don't play CTFs, have you played Python Challenge?

Oh I don't question that for a moment. I'm just curious what you enjoy doing with your coding. 🙂

There are fun CTFs to play, like this one. ctflearn is a pretty gentle introduction to playing CTFs and can be alot of fun.
https://ctflearn.com/challenge/1/browse

Python Challenge is a cultural touch-stone for python dorks. :). It's a little more confusing to play, but rewarding when you break a level.
http://www.pythonchallenge.com/

CodinGame is amazing, and features quick skirmish challenges where you compete for time against other humans and they occasionally offer big contests for prizes too.
https://www.codingame.com/

My little brother in-law loves Roblox. 🙂

When you say that you've been ethical hacking for over a year, what does that mean outside of a professional context?

Yeah. my brother does too. lol

That's grand!

Any fun experiments of late?

Fun! Which algo's do you have rainbow tables for and what keyspace did you go with? 🙂

writing a pw stuffer can certainly be a handful. are you using rockyou.txt ?

that's a kali staple at this point

you can scoop up leaked creds freaking everywhere. it's half of what you get on bin sites.

more places need to enforce 2fa

It was a pleasure bending the fence for a while. Have a great day. 🙂

Can someone please explain to me the structure of a TLS handshake packet. I have been trying to create one with the python struct module.

I hope this helps. 🙂
https://tls.ulfheim.net/

Thanks a lot. This is exactly what I was looking for. 😃

Outstanding! Glad to help. 🙂

Hello. Anyone here used Casbin?
If I got it right, I'm gonna need to create individual policies for each user and for each object they could possibly manipulate. Is that correct, or it's possible to generalize those policies?

Casbin? I have never used it.

Should I even use it? Or generally permissions are managed easily enough without third-party software

No sir, I am looking at making my first python tool for security purposes. Either enumeration or ... etc used fo bug bounty. However, I am a script kiddie who just started so if anyone has a good idea of a start up guide i can read? Would be amazing 😄

why is this xpath invalid?

#/html/body/div[6]/div/div/div[3]/ul/div/li[{i}]/div/div[1]/div/div/a/

i is an integer that is formatted btw

You can create port scanner for example - pretty easy and useful even for home purposes.

Additional example can be program which tries to find leaks of API keys and others secrets in code

I see! Thank you! 🙂

Would be good to start with

You're welcome!

"script kiddie" is usually used as a derogatory term for people that think they're cool because they're a Hacker ™️ and just use tools without knowing how they work

not really something i suggest you describe yourself as 🙂

Oh well I just started and I got called with one on a forum because I asked a question so I assumed that’s what beginners are called

Ahh okay 🙏🏼 thank you

as long as you're willing to learn, you'll be fine

Hahaha thank you sir 🙏🏼

which language is used to make mobile viruses?

Can I ask if anyone's used deep daze? I'm worried it's a virus

open soure and 3.8k stars?

most likely safe, though it doesnt hurt to be sure

why do you have concerns?

please tell me if i can be expert in this field, i can be hacker right?

can i hack website like maybe FBI or something?

can i make viruses also and band adult website? cause that website has ruined my life

🤦‍♂️🤦‍♂️🤦‍♂️🤦‍♂️🤦‍♂️🤦‍♂️🤦‍♂️

what does that mean?

cmon i need real answer

lmao, this makes me kinda doubt your bio

Being a security expert doesn't mean that you are a hacker

I just joined this server and this is the first thing that I've found. Lmao

Hi very important question. Does anyone know how to use wireshark? how do I find the number of packets sent between 2 IP addresses? Thank you

Thanks I was given this question: How many packets are sent between the IP addresses x and y?

great, what filter would that be?

Sorry, I'm new to all this

oh okay - thanks

Hi does anyone else know how to find the number of packets which are sent between the IP addresses x and y

the number of packets? during a time span? you can view packets that are being sent with e.g. tcpdump, also allows you to filter source and target IP, i suppose you could filter that by timestamps and count items

Hackers more like like curious people

I’m a script kitty, meow 🐱

Great, thanks

what is the prerequisite to learn offensive python ?

learning python

Python basic is enough to jump into "python for pentesters" courses ?

what is pentesters?

ethical hacking and stuffs

@thorn obsidianif you are a pentester you can hack facebook

!rule 5

He asked what is pentester and i answered Ethical hacking . How is this breaking Rule no.5 .

It's not possible to verify how do you use hacking skills so it is breaking rule 5 - that may break laws

You can talk about it by using @novel cedar with mods

🤦‍♂️

really? wow please give some resources to learn it. Thank you

@thorn obsidian i got you covered, start here https://www.dummies.com/programming/

You want to make a command block that will allow you to make edits anywhere you want
https://www.dummies.com/programming/programming-games/minecraft/minecraft-command-block-commands-list/

but don't break Rule no. 5 here

truly the most useful scripting language

I have a question on JWT. So based on what I have studied in an article, it's just a means of "easier addressing" on the server-side. E.g, when the authentication servers are behind a load-balancer, the JWT can help us realize which server to go to instead of checking all the servers, or having to synchronize them all.

idk about this but its used for authentication, allowing you to communicate with any server since you dont need to have a session with any single server

they just need to have access to the secret that created your JWT

I can't use that feature without allowing myself to be flooded with spam from this server, but I'd like to point out that your exact logic should prevent any discussion of anything here, especially Python as Python can be used to do illegal things and we can't know if people will use the help they get here for illegal purposes. The only winning move is not to play if the rules are as you state them.

not quite since most questions here are about how to secure things not how to breach security it is a thin line and I do agree that pentesting should be fine here as well but idk enough about the rules to say

The implication is that hacking is somehow by nature illegal, which is a harmful stereotype.

Hacking and security are so deeply related that I don't think you can reasonably have a security discussion space where discussion of hacking is banned. It's rather absurd imo.

I agree but, you dont want to accidentally help someone with bad intentions, if you can get approval from a mod I dont see why you can't ask though

Again, though, this logic precludes discussion of anything on the basis that you cannot know the consequences.

and also the way you frame your question makes a big difference

instead of saying how can I hack X
try
how can I protect/prevent against this vulnerability on X

Why, though? As a defensive security developer, I think it's invaluable to think from the perspective of an attacker - to frame the question as, "How can I break this creatively?"

I fully agree but again you dont want to help the wrong people, and I dont make the rules

have a talk with one of the mods to see if you can sort something out

There's a lot to unpack there, especially the assumption that there are wrong people and right people to help, or that you can reliably know which is which in the context of a Discord chat. In my opinion, you're just as likely to be helping someone do something illegal by giving them advice on optimizing their concurrency design as you are helping them reason about security vulnerabilities. That is, of course, barring statement of intent to perform some illegal act in which case by all means enforce some rules.

I agree with that you never know the intents of the person you help on discord, which only reinforces that you should limit discussions and be careful about the info you give

and helping someone secure their service might give them ideas on how to exploit other services but it doesnt outright teach them how to do that only how to protect against the attacks

so although it is similar there is a distinction

Interesting! I feel it's the opposite - that by spreading knowledge in public forums, even if someone with malicious intent benefits the net benefit is likely to be positive. Defenders can learn from what is discussed here just as attackers can. We've also been ignoring in this discussion the complexity added by all the lurkers with totally unknown intent... 🙂

You can go to #community-meta too

again I agree with this, but I dont make the rules

I am not the author of those rules but rules are rules 🙂

I respectfully disagree with your interpretation of the rule, but not a big deal - I get worked up when people malign hacking as being somehow related to breaking the law.

Ok security question: Is there any kind of standard or conventions around interfacing with secrets providers like Hashicorp Vault? I want to include support for a secrets provider in my project but also want to keep things pluggable if possible. I'm maybe failing to think of the right search terms to find this.

Hmm, as far as I know you need to provide one method for security-provider-class - get (with optional default=... keyword)

@abstract jackal You can also take a look at Buildbot secrets https://docs.buildbot.net/latest/manual/secretsmanagement.html

Oh this is AWESOME! That's exactly the sort of thing I'm looking for, thanks!

You're welcome!

It's a tough game, I still haven't figured out how to win

btw do you think its secure to store secrets for JWT's in a DB alongside other user information

I'm thinking of generating random secrets for each user instead of having a global secret for all users, this way I can invalidate a secret if a users token is compromised

It sounds like it'd be secure against most things other than your database being compromised directly or through query injection

Hmm.. I am not an expert in JWT but afaik you can store JWT tokens next to users' informations

thought so too but at that point it wouldnt even matter since I would have bigger things to worry about I think

wont be storing the tokens just the secrets used to make them

Hmm...

Yes and no - injection vulns that are read-only might be more dangerous with this design than otherwise (you have to get LFI to know the server's config secret).

I'm thinking of using a graph based db like neo4j not sure if that helps with security since it doesnt use sql

Cannot you use user's public keys?

for the secret?

I've argued extensively with the head of development where I work - no, it doesn't change much in terms of security 🙂

if thats what you mean it wont work JWT's since the secret needs to stay a secret for JWT's to work

On https://jwt.io/ I see that it's possible to use public key (user's one for example) and private key (your one)

otherwise anyone can generate tokens that would be read as valid

You could symmetrically encrypt user secrets with a server secret so that they aren't usable if stolen from the database.

its possible but I dont think its a good idea since anyone can access the public key

in the general case for JWT's you just have 1 global secret used to generate the keys for all users

Anyone can access the pub key, but they can't decrypt a token encrypted to the pub key without the priv key, right?

This is the idea of public key

the way JWT works is that its made up of three parts separated by dots
header.payload.signature

anyone with the JWT can see the contents of the header and the payload, but they cant modify them since that would invalidate the signature

however if they have the secret then they can generate a new token with a valid signature, at that point its game over since they can generate valid tokens as they want

Gotcha, so your generating secret needs to stay on the server, ergo only the server should be able to decrypt it so you need to use a secret known to the server to encrypt the seed.

yup

its used to generate tokens and to validate them

and from what I've seen the payload often contains some user information used to identify them like their id in the db or their username

that way the payload can be used to verify the user you are communicating with

So I would treat it just like salt and pepper, personally - store the salt with the user info and put the pepper in a file on disk. Then you should need multiple exploits to compromise the system, or a database exploit and the willingness to try and brute force the encryption.

where should I store the pepper though?

Environment variable?

would that be safe if the db is compromised?

Yeah

It requires to get user-access on the OS level

Or process access with this environment variable

That depends entirely on what kind of system you're building - for example, Django uses a secret key in the config file and usually it's put in an environment variable for production. If you need multiple nodes to know a secret, use something like Hashicorp Vault to have auditable token-based or ip-based access.

...or leverage CI/CD to populate the secret across nodes, again depending on the system you're building.

hmm theres a lot to take into account lol for now I will just have the salt on the db for each user and the pepper in an environment variable

I was also thinking of making tokens have a very short expiry time so lets say 1 hr and then have the client request a new token before that

this way if the user is constantly interacting with the server they will get new tokens valid for the next hour and wont be logged out but as soon as they stop interacting with the server for an hr they need to log in again

Another crazy option, but one with a hardware dependency: encrypt things with an HSM so that stealing the decryption key would be theoretically impossible (Yubico has a decently priced one I've been drooling over for some years)

how long do you think I should make this time btw?

hmm I think thats too much tbh I'm just trying to make a game platform for programmers

so even if the site is compromised no sensitive info should be leaked

That's very much domain-specific, I think. Some applications, I use a timeout of 15 minutes. Sometimes I make tokens that are good for exactly 1 second. Sometimes 12 hours is no big deal. Depends on what it allows access to.

"too much" is how I like to do security lol

^^ I feel that I could have just stuck with a global secert but I didnt like that lol

do you think setting it to 24hrs is too long?

The ideal is to make it user-controlled - if a user trusts their device, then just about any expiration is fine, because they're going to keep regenerating tokens on that device anyway

Especially for mobile, if a device has TPM to store your tokens then what's the attack model?

issue is I dont know what kind of attacks could be used to get the tokens in the first place

my idea is just that if the attacker gets a token it would already be expired when they get it so its useless

1 - Brute force
2 - Social engineering
3 - Coming across it on an otherwise compromised device

You can defeat #1 with expiration (or a combination of entropy and expiration, rather).

hmm I think I could set no expiry date with my current model then

well more like a very long expiry date since brute force should take a very very long time

is there any standard way to detect suspicious activity from a user btw?

Oh, I guess 4-leakage: If a user ever sees their token, one of them will leak it eventually

the only thing I can think of is if the user signs in from a very distant location I should ask them if it was them through email

Hmm... machine learning and a whole lot of telemetry?

Yeah, IP-based sign-in tracking is pretty standard (if privacy laws allow it for you and your users), and you should rate limit failed logins (I personally like an IP-based exponentially increasing backoff for this) and consider blocking addresses with failed logins for multiple users (keeping in mind sometimes an IP can have a thousand users behind it)

If you're generating logs of authentication failure events, an external utility like fail2ban may be useful for that last part - it lets you perform pre-configured actions based on regex matches in logs, and it can talk to/configure firewalls like iptables or nftables.

(keeping in mind sometimes an IP can have a thousand users behind it) I assume this would only for public networks?

Some corporate networks also, and mobile carriers do all kinds of multi-NAT shenanigans. I have a WiFi network with several thousand users behind just a couple of IPs.

Municipal WiFi is becoming a thing in some places also.

will deffo look into all this, at some point but I will stick to just the salt and pepper for now I can always implement all this later

I've been putting off working on this for a while...

Absolutely, take it in small steps and try to deeply understand the controls you implement.

btw do you think there's anything I should look out for with graph based db's ?

Not in particular, other than ORMs for them are a little less available/mature. I definitely wrote some vulnerable cypher queries a few years ago! Graph APIs usually suffer from increased DoS risk, but graph-native DBs are relatively fine.

what do you mean by DoS risk?

Graph APIs are often put in front of relational databases, and a single GraphQL query can trigger multiple (sometimes cascading or looping) queries on the backend.

btw the reason I plan to use a graph based db is because I want very fast reads and writes since I'm working with games and I'm still not sure of the structure of my data, as it depends highly on the games I add

hmm in my case I only want to have 1 db with no caching layer

Interesting, I'm not very familiar with performance characteristics - I use graphs for the queries they let me make that would be difficult on relational datasets

so I figured graph based dbs were a good middle ground giving me an easy way to model relations with relatively fast speeds

this as well

btw do you have any resources for where I can learn a bit more about graph based db's?

I wana make sure I write performant and secure queries

I think you're on the right track... I don't have any current resources unfortunately, it's been about 3 years since I last did a Neo4j project and I didn't do much research for it. I've gotten by with custom python graph implementations for pet projects lately.

ahh well thats all good you've already helped me enough 🙂

thx 🙂

What you need for secure queries is parameterization: https://neo4j.com/docs/developer-manual/current/cypher/syntax/parameters/

oh actually one more thing

do graph based dbs take up a lot more space than other dbs?

I assume this is their only trade off

I don't know, but I wouldn't think so... since a graph is just a pair of sets (of vertices and edges) it should be pretty storage-efficient, but I'm not sure what kind of optimizations are used (what is the graph equivalent of a b-tree? is there one?)

what would you say are the reasons not to use them then?

I feel like I'm missing something since they seem better than relational dbs in every way from what I've seen

If you have a well-defined schema for your data and want the benefits of things like foreign keys and various indexing optimizations, relational databases still shine.

arent graph dbs faster than normal dbs though?

I don't know about in general, but certainly for answering certain questions

ahh actually looking it up again, relational dbs are faster when you have a lot of organised data

I would assume for my use case graph dbs are probably faster where they need to be though, since my queries will be mainly relating to a single user

Unless the intended use demands it, I usually don't consider performance characteristics when choosing tools for a project - I consider what the best way to model the data I need to work with would be, and I find the right tool for the job. Keeping it simple and keeping dependencies minimal are some of the best ways to optimize your chances at building a secure system. Relational databases are tried and true, and modern frameworks make operating them safely a breeze. I didn't find that to be the case with graph databases when I last ventured into that realm, and the safety of my implementation definitely suffered because of it.

I was using PowerShell with Neo4j and I don't think I found the documentation I linked above, so those factors probably limited my success with it.

in my case I want a fast and simple db, since I expect to be making a lot of small queries, that need fast responses

and in my case the faster the better since ms have a big effect on the user experience in games

honestly the db probably wont be the bottleneck in my case anyway lol

thx again for the help I think I finally have all the info I need to start working on this project 🙂

Hello people
i was wondering about something
If i use a rubber ducky usb, and the first thing i do is desactivate av, wd... after that any type of malware i include in my script should be able to run right? or is this just theoretical

Yes, no - depends on user permissions

hmm

shouldn't we be able to do that with admin perms?

When you are on the root level then you can literally do everything

yea, i mean the amount of people who changed their os restriction into not letting a human run stuff through admin perms without a password are kinda low

anyways, any tips on starting to write malwares?

can it be done via java?

!rule 5

oh im sorry but im doing this for ethical purposes

to learn basically

Whatever, it's prohibited to talk about hacking on this server afaik

once coded a malware that only works for windows 7 (following a udemy course)

ah thought this channel was made for doing so

Securing code against hacking through techniques such as data sanitization and encryption, and protecting yourself and your devices.

kinda disappointed ngl

From channel's topic

It's #cybersecurity not #malware-creation 🙂

fair enough

are your dm's open

I rarely offer private help

Unless you can speak in my native language

i do know some insults since i play league of legends eune server

:p

https://tenor.com/view/anchorman-steve-carell-laugh-good-one-banana-gif-4958026

anyways, thanks for your help.

You're welcome! Feel free to ask your questions about defensive security any time you want!

what is difference between library and module

Library contains many modules

what is library

I think that is quite out of scope of this channel, it's more #software-architecture or #python-discussion

Ok

How can I secure my python code if I can't even compile it really?

The same general security concerns apply to any open source app regardless of if it's in a compiled language or not.

How can you secure a python code that explicitly has an api key as a clear text? 😅

When you want to distribute your application then it's impossible to secure API key

Each user should has its key

What about if I wanted to make a python program that requires a login and of course it'll need to check for the password and username, so how can I secure such things when anyone can go through the code to see which "username" and "passwords" are allowed?

You should setup some service which will authenticate users then

Online service

What can be secured if these important things can't be secured? -.-

Mhm?

hi

wassup

anyone online?

What important thing are you having trouble securing? Is it that you need to know how to encrypt a local database of usernames and passwords?

Make an online service which covers authentication and authorisation, you cannot secure hardcoded strings which exist in your app

Yea...

Perhaps what you just suggested is the solution to my issue, but then what are the things that can be secured in a Python code exactly?

Can you elaborate what are you doing rn? How your application look like? What do you want to secure?

I just wanna know what can be secured in a code written in Python if 2 of the uses cases which I mentioned above can't be done in Python 😅

Basically nothing is secure when you give your program to the user. Algorithm can be reverse engineered, keys can be retrieved...

This is too general question, for example from technical point of view you can secure communication between sides by hardcoding certificate somewhere.

However keep notice that security is a process so you cannot setup something and be sure for next few years that it's secure solution

hey everyone !
I'm having an huge environmental bug with passlib[bcrypt] :

passlib.exc.MissingBackendError: bcrypt: no backends available -- recommend you install one (e.g. 'pip install bcrypt')

I'm on windows, on a python 3.8.7 venv with pip 20.2.3, it works on another laptop and on one of my colleagues's laptop, as well as on our devlopment and production environments. But it still blocks me from developing since it breaks my local
Here's what i tried :

• uninstalling and reinstalling passlib, bcrypt and cryptography modules, as well as the passlib[bcrypt] dependency, with and without upgrade from my requirements file
• uninstalling and reinstalling my whole venv
• copying the environment of my other laptop
• using another python version (3.7)
  Should i try reinstalling python entirely ? or is it a system issue ? (don't hesitate to tell me if you need to see a pip freeze output or any other kind of logs)
  Thanks in advance for the help

also sorry if it's not the place to ask that (should i open an help channel ?)

You can open help channel and ping me there

thanks !

I think it is very easy to underestimate the complexity of securing communication between many users at scale regardless of language.

Especially in an open source manner. There is a reason most software now days are embedded web applications or just web applications, so you can have some kind of authentication service as Morowy noted.

how is your day guys ?

i am trying to do a account checker i need little help

import requests

import threading

combolist = open("combo.txt", "r").read()

headers = {"User-Agent": "MyCom/12436 CFNetwork/758.2.8 Darwin/15.0.0"}

def checking():

while True:

URL = 'https://aj-https.my.com/cgi-bin/auth?model=&simple=1&Login=bes5343&Password=best343'

r = requests.post(URL, headers=headers).text

print(r)

if "0" in r:

print("BAD: " + combolist)

else:

print("HIT: " + combolist)

t1 = threading.Thread(target=checking)

t1.daemon = True

t1.start()

t1.join()

`import requests
import threading

combolist = open("combo.txt", "r").read()

headers = {"User-Agent": "MyCom/12436 CFNetwork/758.2.8 Darwin/15.0.0"}

def checking():
while True:
URL = 'https://aj-https.my.com/cgi-bin/auth?model=&simple=1&Login=bes5343&Password=best343'
r = requests.post(URL, headers=headers).text
print(r)
if "0" in r:
print("BAD: " + combolist)
else:
print("HIT: " + combolist)

t1 = threading.Thread(target=checking)
t1.daemon = True
t1.start()
t1.join()`

!code

By "account checker" you mean brute force attack to get accounts list?

Any possible form of transferring passwords is. Putting them in the request body doesn't change that. The reason you're supposed to use a request body and not a URL parameter is so that your passwords don't show up in browser history and in server logs. - not because it's secure against brute force

Really, there isn't a difference between these in terms of how brute forceable they are

GET /?password=f00 HTTP/1.1
Host: localhost:9999
User-Agent: curl/7.79.0
Accept: */*
``````http
POST / HTTP/1.1
Host: localhost:9999
User-Agent: curl/7.79.0
Accept: */*

password=f00

You can apply a time limit to either one

Keep notice that putting password in URL will save it in browser's history

I can agree that it doesn't matter in case of brute forcing it

Correct, that is why I said "The reason you're supposed to use a request body and not a URL parameter is so that your passwords don't show up in browser history and in server logs"

:p

Okay, sorry, it's a little bit late 😂

all good, all good

Also GET arguments have limitations in size afaik so you cannot use funny password which are 1k chars in length lol

100% of sane ones do

and probably 90% of insane ones

I'd say more like 99% use POST

Yeah, POST is a general convention to be used in login/register forms

Basically actions like changing password or removing the account should be done by using POST

POST or PUT are common ways to send data (PUT is used to create resource iirc)

All HTTP methods actually work pretty much the same way

The difference is in how they're intended to be used

But you could make an entire website which uses nothing but DELETE requests if you wanted - the server doesn't have to delete anything, and it can serve up a page as a response to a DELETE request.

It's all just convention.

Every HTTP request method sends some data, and gets a response back.

Typically, webservers want you to send certain kinds of data like credentials, forms, and that kind of stuff in a POST request

I am not sure but can you send forms data in GET request?

You can

This is not I am not a webdev lol

Most servers just don't use that feature of HTTP

Because it's kind of an insane thing to do tbf

But you can do it

👍

https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods

GET, POST, DELETE, PATCH, HEAD, PUT, CONNECT, OPTIONS, TRACE

9 as far as I see

I think that's all of them

You can return any kind of response data

Including raw binary data

you still need an HTTP header though.

Like

HTTP/1.1 OK
Content-Length: 620
Content-Type: image/data

insert 620 bytes of random binary shit here

Sure

You don't even need a HTTP

You can use lower protocols like pure UDP

Some time ago I made a sender/client which were using DNS lol

Agree lol

Keep notice that you cannot steal anything from offline system because, uhm, it's offline

You can physically block USB ports

Yeah, there are devices which can emulate keyboard

So you can do many improper actions with that tool

So the simplest way to protect your device is to lock USB/PS2 ports, there was a conversation about that some time ago

Or do not allow to random people to have physical access to your machine 👍

You can use BIOS settings as well

Or hot glue lol 😂

So check your BIOS settings, I am not sure about that but maybe you can find some options that allow you to turn off unused ports

You can also turn off auto mount, but that won't protect you against certain kinds of device

One problem with USB is that it's universal. A device plugged into USB doesn't have to be a block storage device. It could be a mouse or a keyboard, or a network cable.

Unlike us, a computer doesn't have eyes. We might pick up something that looks like a block storage device. but if you plug it in and it identifies itself as a network cable, the computer will think you just plugged it into a LAN.

I'm sure you've heard of a rubber ducky - which works by identifying itself as a HID (human interface device, in other words a keyboard / mouse)

it speaks in HID to the computer and transmits HID data over USB.

So the only way to ensure no malicious data is ever received when plugging a potentially evil USB device into your computer, is to make sure that it doesn't automatically do anything with new devices.

You can do this by blocking the port outright - but if your goal is to try and reverse engineer the device or see what it does, you can also just configure the OS to not automatically enable new usb devices. In practice this can be a pain, since if you unplug your ethernet cable you'll have to re enable it when you plug it back in.

then you can probe the device to see how it identifies itself, and attach it to the OS as a specific kind of device or with restrictions.

Do you have any code examples how to do it in Linux?

No, I haven't looked that much into it

Too annoying for me to care currently

Right. I just like to test something and see how it works in real live scenario

I'm sure there's a way to configure it on linux

I am going to find it on my own, thx

Looks like all USB features are loaded as kernel modules... (not surprising)

I'd probably start by looking at which modules my system has loaded

and seeing which look relevant, then trying to find documentation on them.

I just found these slides on google https://elinux.org/images/5/5e/Opasiak.pdf maybe you could find this presentation

If not, the slides themselves look like they have a lot of good info.

.bm

I will look into it during the breakfast 👍

and ofc this doesn't cover voltage overloads to screw up your hardware

How about if the USB is a network device? I hope you're patched for ETERNALBLUE

I mean I'm sure you are patched for it, this isn't 2017

But you see what I'm saying

Right, but what I'm saying is even if autorun is off, you still can't trust a USB device

Because you don't know whether it's block storage or not.

Fair point. You're only secure against block storage attacks though

It's moot if you never plug in any unknown USBs ofc

Trust noone lol

It's more a joke but generally it's a good approach to don't trust others and verify some things twice

Using someone else's, or implementing it yourself?

Microsoft have a great writeup on ETERNALSYNERGY which personally I think is more interesting.

Same family, another day another SMB fuckup

Weird question:
Is it possible to make a python server accept only specific clients (it's clients)?

It is possible

Depends how do you want to distinguish between those clients. The simplest way is to allow to connect only from specified IP ranges

I'm interested in doing some kind of MitM proxy at my own device. Has anyone here set up a transparent proxy before? With HTTPS (TLS) 😵‍💫 I was using wireshark before and I was missing the full path of the streaming data I was accessing through another website, sadly I only got the domain instead of the full url with the corresponding path.

!rule 5

Why is it malicious if I'm just auditing my own device? It's a method used to check the data stream by legally setting up the config physically on my pc, not an attack. @lapis radish 😦

I cannot verify your intentions 🙂 You can talk about it with moderators by using @novel cedar, I am just a simple staff member here

Fair enough. What about checking how to build one with the encryption on, then I'll figure it out how to get the ssl keys? Sorry if it's too much of a stretch.

This is still out of scope of this channel because it's offensive. In channel's description you can read

Securing code against hacking through techniques such as data sanitization and encryption, and protecting yourself and your devices.
Sorry that I can't help you 😦

Thank you for the clarification brother.

Wireshark isn't a proxy. All you need for monitoring your own traffic is a simple HTTP proxy with a self signed certificate, which you configure the browser to accept. Inb4 rule 5, this can't be feasibly used maliciously since the browser has to accept the cert, which you can only configure on a device you control.

You're welcome! Feel free to ask about "how to protect my communication against MITM?" 🙂

That's actually pretty interesting lol.

To ensure http traffic goes through the http proxy, you can configure a firewall whitelist such that only certain devices can send HTTP out of the network, and make the proxy one of them. Them any device which attempts to circumvent your monitor will be prevent from doing so and have its packets dropped. This is a common set up for monitoring http traffic on corporate networks.

On a corporate network you can even install your snake oil certs via group policy.

I know, I was trying to sniff out the packets and use my own SSL certs to be able to decrypt the https and check what was going on. However (if you've ever used wireshark and know a bit on the handshake part) when I got the client hello, I got only the domain of the website instead of the full url WITH the path. So it was a bit of a timewaste (well, I learned a bit on networks at least)

The solution is to use an http proxy instead of Wireshark. You force the client to communicate the request to a server you control, I stead of directly to the remote destination.

So I thought maybe the correct way of doing it is going through a proxy when needed. Yeah, I thought about it today.

Yup, you've got it right.

You can even just use nginx or apache for this with a very simple config

All you need is an ultra basic forward proxy setup with some logging.

Do you recommend some resource or website other than what I can find on google about it? I'm more of a Business Analyst so I only know a bit of programming on that field. All of this is new for me so I'm trying a practical approach just to build what I need and keep moving.

This is really more IT than programming, which is good news cause it's easier IMO. Here are some nginx basics https://www.nginx.com/resources/wiki/start/?_bt=541137080527&_bk=&_bm=b&_bn=g&_bg=125748574545&gclid=EAIaIQobChMIu5fFkrDH8wIVhgytBh0udAhvEAAYASAAEgKB_PD_BwE

And example forward proxy config https://www.alibabacloud.com/blog/how-to-use-nginx-as-an-https-forward-proxy-server_595799

Thanks a lot. If I may, I'll come back and ask stuff after reading on it. I appreciate it.

Not going to recommend the mitmproxy2 package to them?

(anyone reading this: do NOT install the mitmproxy2 package, it is removed from pypi for containing intentional remote code execution vulnerability - I was just making a joke, do NOT seek out this package)

https://tenor.com/view/oh-you-you-pointing-gif-9478893

I use mitmproxy (not 2) all the time for non-offensive purposes, for example I periodically use it to make sure my software doesn't do any unapproved beaconing, etc.

Yeah but it has mitm in the name so it's obviously evil haxorz - someone, probably

I usually just tell people about the middle aged dude with no hacking background who went to a workshop led by Troy Hunt where he set up a proxy for his phone (Fiddler iirc) and discovered a critical flaw in Nissan's mobile app (they were using VINs as auth keys). These are powerful tools, and sure they can be used maliciously, but they are also so valuable for so many legitimate purposes that I don't think they deserve the stigma they get.

Is Fernet from the cryptography library vulnerable to the Known-plaintext attack?

no, it is not

it uses AES-128-CBC (https://github.com/fernet/spec/blob/master/Spec.md)

Oh, thanks!

If someone violates their NDA by posting information about their work they are doing at a company and you take that information to bolster your own companies competitive analysis is there a way for you or your company to get in trouble?

this is more of a legal question than a security one

But you can't enforce a contract on someone who isn't a party of the contract.

If A and B make a contract, that's between them. C has nothing to do with it.

Gotcha, for future reference where should I ask about these sorts of questions
Also would it frowned upon?

C does have obligations under intellectual property and copyright law.

But that's a separate matter from an NDA between two other parties.

I see, okay this makes sense

That kind of question would probably be better asked in a community for law instead of programming

Stackexchange have a law board iirc, idk of a discord though.

Seems the companies security teams aren't doing their job properly. Okay ill check into it thanks!

I mean, if information gets out it's not like they don't have remedies

In fact, they have remedies specifically because there was an NDA.

Their claims are against the party to the NDA.

Preventative measures of information getting out in the first place would have been better.

Then you don't have to try and scrub google

yeah, but there's only so much you can do.

Like wtf are you gonna do, flash them with a Neuralizer?

Who are you, the Men In Black?

If the info is in their brain, you can't exactly secure against its release with code.

That's why you have legal remedies.

From the tech perspective, you can also do postmortem investigation

If you think a specific person leaked a specific piece of info that they didn't purely memorize and you think they copied it or something, that might leave artifacts you can investigate and find.

A lot of people don't really know how to steal things very well. The people who know how to get away with stealing secrets are the people doing the forensic investigation, not the people doing the stealing.

You know, usually.

Threw this together for kicks to actually calculate the difficulty of the guess. Python doesn't GPU accelerate hashes, so these numbers are for an Intel i7-10750H @ 5ghz, which is just awful for hashing. 16 bits of cryptographic entropy in the worst case consistently costs 0.73 - 0.75 seconds, we'll call it 0.75. Since each bit of cryptographic entropy approximately doubles the work, an input seed with an entropy of 32 would take about 13.6 hours to break in the worst case.

The number of hours required to defeat an entropy of N in the worst-case can be calculated with this formula:

(0.75 / 3600) * (2 ** (N - 16))```

Hm, are you trying to crack password or what?
Are there people who are trying to crack hashes on CPUs nowadays?

This is just to demonstrate that secure hash algorithm's security is backed by the security of the input

Had an argument earlier about hashing mersenne twister values to "make them more secure"

This demonstrates that the worst case complexity scales with the entropy of the seed.

Fair enough

To actually perform the attack ofc GPU acceleration should be used. But this formula could be adapted to calculate the worst case time for an entropy of N with a specific hash rate. 0.75 seconds is how long it took to go through 2**16 permutations on my cpu, so if you can get through 2**16 permutations in only 0.3 seconds with GPU accel, then just swap in 0.3 to make the formula work for that speed.

Okay, I just woke up and being confused a little bit, now I understand what is going on 👍

Basically the problem is this: if someone is generating random values really shittily and showing you the hashes of those random values, how hard is it to predict the next hash?

Are you assuming that user is putting single block of message into hash function?

Or there can be more data?

They're hashing a prng number

See the next_digest function in that code

It's what computes the hashes

I see it 👍 but you can generate bigger numbers, cannot you?

You can make the numbers as big or small as you want, it legitimately does not matter.

The difficulty comes from the difficulty of guessing the prng seed. Not the length of the data being hashed.

Hmmm Right

Bigger numbers might take very slightly longer to hash, but they don't increase the complexity of the problem itself.

We're talking fractions of a second per permutation. What matters isn't making the permutations take a fraction of a second longer - what matters is increasing the number of permutations exponentially.

Even if you used such large numbers that the hashes took TEN TIMES as much work to compute, that would be less significant than increasing the seed entropy by just four bits.

Less than a byte.

2^4 is 16, adding four entropic bits makes the problem 16 times as hard to solve.

Entropic bits basically measure the difficulty of guessing something.

If you have perfectly random (or close) RNG and generate 8 random bits, thn there are 256 possible values you could have generated. So if I want to guess your number, it'll take at most 256 tries.

If you generate 16 random bits, it'll take at most 65535 tries.

Each bit doubles the difficulty.

👍

You should write your thoughts possibly in one message then there is a chance to pin it

You can write this idea on #community-meta

Or open issue on meta repo

Hey guys, I have a very urgent question regarding the AEAD encryption scheme. So I have read that the AD (associated data) is appended to the ciphertext (using AES GCM) and then sent to the client/server. My question is: Is the AD appended in cleartext? Does it have a variable or fixed length?
I would be happy to get an answer on this. 🙂

scapy is installed in python3.9 ?

You must install it on your own

AD can have variable length iirc and it's appended to plaintext

But I am not sure

does anyone know how to move around blocks like for example ["3123af3432f2323"], ["95054f99a909aa9"], ["9023ff20920a0"], ["439223ff2899a"] into different positions

I'm trying to replicate the functionality of https://github.com/x89/Shreddit with https://github.com/ellygaytor/trasheddit but I'm concerned about storing passwords in plain text. Is there a way to do this without sacrificing a ton of functionality?

I think it is installed already . I am able to use scapy in my python code.

@heavy atlas No

oh ok

got it

👍

almost fell for it, the page looked very convincing

Ah right. In general, you should be skeptical of such links.

Hi
Need your ideas about api bruteforce protection

There is an endpoint https://host/signin/ with a following request available:
POST
body: {
"username": str,
"password": str,
"recaptcha token": str
}

It's ok for web clients. But mobile app hasn't recaptcha.
What is a secure ways to disable recaptcha validation on api side only for mobile app clients but not for whole endpoint?

A bit of update on the proxy I was setting up. Currently using mitmproxy and python and it seems to be pretty robust. Just passing by to say thanks to you three for the tips and help.

@nimble lily @lapis radish @abstract jackal

So yeah, thanks. 🥰

mitmproxy is GOAT pretty much all the time, I don't know how I got by without it

I'm sorry I don't know the correct solution but I'm pretty sure that's not how you want to do it ... Anyone who wants to brute force can use a mobile useragent to do so

Hi mates, what should I learn first in cybersecurity? I've seen many videos but I'm not sure about it

check out hackthebox.eu and go through one of the paths there

but to be direct, you should learn how networking and web development work and get really good at administrating linux and windows because you kind of need to know how things are supposed to work to learn how to exploit errors in configurations

thx bro

I though about asking it in ot, but it seems this channel would be better...
Did anyone read Mastering Python for Networking and Security? By José Manuel Ortega
My sib got the book and I'm wondering if it's good. I don't really read ebooks but the topic was once in my area of interest and I wonder if I should get back to it... And it could be useful for my work if the book is good

I have a Discord bot that runs on a VM on GCP, with incoming traffic blocked (not allowing HTTP or HTTPS traffic). It connects to Discord using discord.py and uses smptlib to send emails. I'm the only one who has access to the code and VM. Is it possible to hack into the bot and access data files somehow (other than logging into the Google/Discord account that has access to it?

I want the new Matrix movie to be: Protagonist Matrix installs super 1337 hacking skills into their brain but finds that as a result, there was a payload and they now have to spend the entire movie looking through their logs to identify the problems in their compromised brain. And moral of the story is, you can no longer Matrix install anything because it's never secure.

<@&831776746206265384> this feels a lot like an advertisement.......

Exactly. You right. Identifying mobile app only by user-agent or custom header like X-Client=mobile is a really bad idea.
That why I want to discuss another approaches, like hmac or so

Speaking about web apps security, you can start from owasp top 10. Hussein Nasser has good video about it

E.g. we can use jwt with rs256 in header for non-authorized POST requests from mobile app

• mobile app produce jwt and use private key to make signature.
• backend get header with jwt and use public key to validate signature
  But unfortunately, there is no safe places in mobile app where to store secrets like private key.
  As temp solution it's ok but generally not good.
  Maybe someone can advice other approaches?

I'm new to cybersecurity and encryption. How would i go about making the messages in a "chat room" encrypted?

there's different levels of encryption, to make a "secure chat" you would use end to end encryption, to make a "secure message" you would use something like public-key encryption. Those would probably be a place to start looking because it's a massive field.

I've watched a couple videos but the main issue i have is how do i send the key to the server?

I'm sure there's a simple solution

hi so i have a question i use a virtual machine and i would like to have more security by isolating it from my home network so malware doesn’t spread, besides a whole new router are there ways to do this?

Over an encrypted channel to the server. Just TLS is fine for this

e2e works by letting two parties communicate through a third party, but establishing an encrypted session between them

The two parties don't actually need to connect to eachother, only the encrypted session is between them. The server acts as a man in the middle, but isn't a party to the encrypted session.

https://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange

This exchange is carried out using the server as a man in the middle. But the server still isn't a party to the encrypted session because neither party divulge any secrets to the server. The server only sees "public" information.

TLS is great because it save a lot on the more resource intensive operations of encryption by only using the asymmetric-key for establishing a symmetric-key encrypted connection, kind of giving you the best of both worlds.

Biggest issue is the awful system of certificate authorities

Fuckin certificate cabal out here

thanks for your response. I need to setup an encrypted TLS channel between the clients connected to share the key?

...no

The clients connect to the server over TLS

the server acts as a middleman.

You don't connect the clients to eachother

Encrypted channel =/= connection

An encrypted channel is just a means by which two parties can send data between eachother in an encrypted way

It doesn't require connecting to the other party of the channel - only transmitting something to them somehow, which you can do through a third party

Cueball connects to Server over TLS.
Megan connects to Server over TLS.
Cueball publishes key over Server, Megan sees it.
Megan publishes key over Server, Cueball sees it.

Cueball and Megan compute shared secret.

Cueball sends message encrypted with shared secret to Server. Megan looks on Server and sees it

Megan decrypts using shared secret.

This is what e2e typically implies. Like Whatsapp

Whatsapp is e2e but doesn't connect parties directly to eachother. Everything still goes through their server.

Managing that kind of p2p connection is a huge pain.

Right, but you can still use a middleman for that.

And should in most cases.

I mean yes

but one party has to connect to the other somehow

So that requires one person to set up a server.

p2p connects two clients to eachother directly, but you still need a server for NAT punching.

hiiiiiiiiiii

help

i want a download a video of youtube

@cold coyote You're familiar with the basic idea of NAT right? PrivateIp sends tcp/ipv4 packet to Google.com with a free source port, and so the router will send packets from Google.com with that destination port to PrivateIp

Ok, there are 4 fields we care about in the tcp/ip stack here

When sending a packet over tcp on IP, you have a Src port, a Dst Port, a Src IP, and a Dst IP.

The reason you need a source port is so that when the other computer sends a reply segment, your OS knows which TCP stream it belongs to.

So every time you open a connection, you actually open a port. Your computer will pick a high port number which is not currently in use.

So you actually open a port as part of this.

ya

You send your traffic to google.com:80, and google.com sends its traffic to yourip:64532

or whatever

Only once the connection ends, but yes. Then that port will be available again.

It's less about protection and more about letting private machines reach the internet.

The problem you have is that when your router forwards a packet to google, it has to change the source IP to your network's public IP.

So when google starts sending traffic to your router, how does your router know which machine in the private network that traffic needs to go to?

That's what NAT is.

Works like this

You send this packet to your router:
Src Port: 64532, Dst Port: 443
Src Ip: 192.168.0.3, Dst Ip: 142.250.72.46

Your router might not have 64532 available, so it picks a random free port from its list of free ports.

It alters the packet and sends it to the next machine in the route, with this info:
Src Port: 63245, Dst Port: 443
Src Ip: 54.89.256.12 (your public IP), Dst Ip: 142.250.72.46

Now it needs to remember this info, so that reponse packets can go to your computer.

It writes down "Traffic with the destination port 63245, needs to go to 192.168.0.3:64532"

So then google sends a packet with the destination port 63245 and the destination IP 54.89.256.12 (Your public IP)

No

The connection closes when there's nothing else to do.

This is how you get packets into the network

Could be one packet or 600

This is just NAT, not TCP

The only part of TCP we care about is the ports.

Google sends a packet with the destination port 63245 and the destination IP 54.89.256.12 (Your public IP)
The router remembers that traffic for this port needs to go to the internal IP 192.168.0.3:6 on port 64532

So it alters the destination IP and port to those, and sends the packet into the internal network where it reaches your computer.

Now the part where p2p happens.

When all this happens, Google's server knows an IP and Port it can send traffic to to have it reach your computer.

Right?

Google can share this information.

If it tells another computer that your computer can be reached on that IP and port, that computer can now reach your computer on the connection which was opened with Google.

And that's how p2p works.

You have a central server which acts as a rendezvous

Megan and Cueball both open connections to this server, allowing their computers to be reached over the public IP through NAT

The rendezvous then shares Cueball's information with Megan, and shares Megan's info with Cueball.

So now Megan knows an IP and Port she can talk to Cueball over, and Cueball knows an IP and port he can talk to Megan over

@nimble lily Thanks alot for your help. So i need two servers? one as the middle man relaying the messages and one for sending client keys over which uses TLS?

Now they can talk without the server. But that's a pain, and you still need the server for rendezvous.

You need server.

ye ik

You said two servers

You only need one.

i thought you replied to networksuspicion saying we would need two

I don't know or particularly care how this script works. I just wanted to explain p2p so you know how it works so you can make an educated decision on when to use it, or not use it.

From what I've gleaned, p2p is probably not necessary or beneficial in this case.

Unless you need to handle a fuckton of load, in which case p2p can distribute a lot of the load.

You can run a cheap VPS for like $5 a month

or less

I think google cloud offers a totally free tier. It sucks, but it's a reliable public IP.

Works for a rendezvous or low load middleman.

this is for like a chat room, right?

Ok, so only two.

Originally he said chat room

But by "room" he might just mean two people.

Either way, no matter what you do, you need a central server somewhere for clients to reach.

You need at least one server

how is Person A going to send traffic to Person B?

That's the question you have to answer.

Someone has to act as a server and someone as a client.

that's fine, but you have to have one person who can set up a server.

They'd have to configure their router to allow access to the service.

Keys aren't secure unless they are randomly generated

With the exception of derived keys. But that's not relevant here.

Use secrets

It's all about generating secrets.

Including secret keys

No, that'd be insane

Just do DHKE.

You don't need to generate new keys for every message if you have a key which is secure and not known by anybody else.

Is there a python code that detects malicious files in github?

I want to use it and add my own lines, if there is any pls it better be a known one(like 1k stars or more)

wait is that even possible to guess wether if there is a malicious code? if the code is just messing up, except with an ai i don’t get how would you do that

if the file that the script is checking has keywords in a specific order (e.g. overwriting or deleting files, keylogging, etc.), then it can make a good guess that it's malicious

right but that cannot be really efficient

i can make a malicious program without those keywords trust me

it wont be haha
that's why malwarebytes/macafee/etc. are the best option. theyve been in business for a long time and thier software is good at its job

you can get decently far with just signature detection

key words don't exist in binary. Malware detection which isn't signature based looks for specific system calls

since to do anything interesting to the system, you obviously need system calls.

is there any way where you can use a brute force attack of every possible combination of numbers and words?

I know that it'll make my pc shit its pants , but is this practical?

like If I make a list of every words and numbers from 0 to 10 and make there every possible combination and try to do a bruteforce attack

Every possible combination is the definition of brute force.

The difficulty of resisting brute force comes from the difficulty of guessing the secret

It's impractical against a secret which is reasonably hard to guess. The specific measure of this difficulty is called entropy

Each bit of entropy which the secret has doubles the difficulty of guessing the secret

thanks for the Information it was very helpful @nimble lily

Hey @visual moon!

!code-blocks

Hey @visual moon!

Hey @visual moon!

If you're trying to post a brute force script, don't.

For one thing brute force is impractical since most things have reasonable entropy.

There are exceptions to this rule. But it's generally highly unreliable.

no I was just trying to show the code that I am using to generate every possible combination of words and numbers and ahci characters

Sounds like a brute force script, so

If you're trying to post a brute force script, don't.

oh okahy

print(“oh no. Cringe”)

It really all depends on what you're trying to do. Do you want a messaging app? Signal is good. Do you want to be able to encrypt single files? PGP works fine.

If you just want to know algorithms then AES, triple DES, RSA and blowfish are the major ones among myriad others.

Fuck aes

all my homies use xchacha20

^ oh yeah and xchacha20, which is faster and more secure than AES iirc

xsalsa20 is faster and better than aes

xchacha20 is faster and better than xsalsa20

You can negotiate a secure channel between two parties with dhke

oh yeah, you're the dude from yesterday or Monday that shady katy spent like an hour helping

Even if they're talking through any number of middlemen, dhke will work. Once the channel is established, middlemen can only see the encrypted junk

A middleman could interfere with the initial key exchange, but only if they can convincingly play the other party.

https://www.youtube.com/watch?v=NmM9HA2MQGI

AES was formalized in 2001

First published 1998

In the decades since then, we've developed newer better math. This isn't to say that AES isn't secure, just that we can do better.

All I'm saying is that cryptographers haven't been idle for 20 years

They're constantly working on new stuff. Some derived from or based on old stuff and some not.

yes. Even if you can't decrypt the data, cryptanalysis is possible.

For example, if you were to generate a key, then break an image down into blocks and use AES to encrypt each block, two blocks which had the same data will have the same ciphertext.

Here's the consequence of that:

You will never decrypt this without the key.

But you still know what it is through cryptanalysis.

By which I mean looking at it.

Yeah

You know what it is. Can you produce the original bytes?

You can't, because AES works, but it doesn't matter in this case. You can tell what the data is based on which blocks are similar to other blocks.

This isn't the fault of AES in particular, but that's just an example of how information can be leaked even with a secure algorithm

Also, even if we consider AES to be perfectly secure and assume it can never be broken ever, we still want faster cryptography.

So we want algorithms which are at least as secure as AES but can be done in less time.

it's not relevant to this example, I just didn't feel like going into a whole tangent about diffusion and thought this would demonstrate better.

The point isn't that salsa20 (of which chacha20 is a variant) solves the specific problem with this encrypted image - the point is just that even if you can't decrypt the ciphertext, you can still potentially learn stuff

And also, we want things to be fast

@nimble lily trying to learn the libary you recommended, are the keys meant to be like this or am i missing a step, I just wanna make sure I'm not messing up. ```b"\xd8\x1ebw\xd9!\x8a-\x08\xe8\n\xff;\x1c\x91\xb4\x83'(\xf4'\x87\x98\x1f\xeb&\x07P\xbft\x7f|"

b"\xc0<t\xc2\xa7]\x82\x19\xa1'gTy\xf2\xb9\xae_\x1fc\xd6(\x08\xcf\xfc\xbej\xe9=\x9c\xbf\xb0c"``` public and private

i just should it should be longer

>>> len(b"\xc0<t\xc2\xa7]\x82\x19\xa1'gTy\xf2\xb9\xae_\x1fc\xd6(\x08\xcf\xfc\xbej\xe9=\x9c\xbf\xb0c") * 8
256
>>>```

that's 256 bits

RSA is the algorithm with insanely long 8192 bit keys and shit

modern day asymmetric ciphers use elliptic curves and require fewer key bits to be secure

so this is a good and secure key?

ye

it's twice as hard to break as a 255 bit key

which is twice as hard to break as a 254 bit key

Difficulty of directly breaking a key grows exponentially.

You don't need that many bits. It'd take a long time to guess b"\xc0<t\xc2\xa7]\x82\x19\xa1'gTy\xf2\xb9\xae_\x1fc\xd6(\x08\xcf\xfc\xbej\xe9=\x9c\xbf\xb0c" by guessing random numbers

that's a lot of numbers

ye alright, thanks

Just use TOR for that

It makes more sense to use it than to try and roll your own anonymity solution. A ton of work goes into making it secure against deanonymization attacks. Rolling your own is probably super vulnerable to timing attacks and traffic correlation

You'd be anonymous from the destination, but you only need single-hop for that

doesn't matter.

chaining proxies through not-tor is ass, but more importantly doesn't have to be handled by you. As long as you make it work with socks5, the user can chain things however they want

And if supporting socks5 is to annoying, they can still make it work with proxychains.

largely "not having to write your own IPtables rules"

Yes, because TOR is socks5

If you support socks5 then they can use whatever socks5 configuration they please

sounds pretty much good

lets say me and networksuspicion was using the chat room for illegal stuff, even if the cops fount out it was us, they would still have no way to decrypt the evidence right?

just a scenario :p

This doesn't necessarily matter. What matters more in modern times isn't protecting the data, because they know everyone uses encryption. What matters in modern times is building a network of who is talking to who based on metadata

TOR helps with this

Plenty of people have been compromised despite using TOR, but not because of security faults in TOR itself. Instead because they fucked up

probably my favorite is the harvard bomb threat guy

Harvard received a bomb threat emailed through guerilla mail during finals

The originating IP header was a tor exit node, so it could be determined that the mail sender was using TOR

So harvard looked in their flow logs to see if any students on the harvard network were using TOR at the time the email was sent

Can you guess how many students were using TOR at the time the email was sent?

One

You think maaaaybe he did it? well, we know now that he did.

wait the guy who send the threat was an extremely intelligent person at his own extremely intelligent school?

intelligence =/= knowledge

amen

why would he use the schools network to send the email through, silly billy.

Yeah, since he did it during finals it was suspected to be a student

shoulda gone to starbucks.

potentially. but there are still plenty of ways that could be discovered

operation security is hard

ricochet is fucking awesome

I believe they're similar in that case, I don't have any data to back that up but either way they're both pretty quick

self authenticating identities are based as fuck

:incoming_envelope: :ok_hand: applied mute to @hidden spoke until <t:1634832376:f> (9 minutes and 59 seconds) (reason: duplicates rule: sent 4 duplicated messages in 10s).

I need some advice. Im trying to write a python script to look for malicious network traffic. Does anyone have any advice on how to get started on this? Thank you.

how to hack

i need to make some kind of protection that only i can access and hide/lock pics vids notes

ez. Just spend like 4-5 years learning computer science, operating systems, and network config, then 3-4 years doing sysadmin and dev professionally for the exposure and practice, and by then you'll have a pretty good idea of it

I am not sure that Python is suitable language for that

<@&831776746206265384>

Create encrypted volume like LUKS volume

You can also write your own tool which can work as simple notepad but with some cipher under hood

Anyway you can take a look at scapy sniff function

https://scapy.readthedocs.io/en/latest/usage.html#sniffing

Thank you I'll check it out!

Is it possible to protect the python source code in an .exe file well enough to detour essentially anyone but hackers that would be able to break through any language's source code protection methods? I've found methods like obfuscating code and then taking that code and making it into a C binary file or something, then making that C file into an .exe file.
From what I've read that seems to be essentially the best way, but I thought I'd ask here anyway because (1) I can't figure out how to actually do that so I am procrastinating here instead of figuring it out, and (2) in case there is a better method.

(also not all my code needs to be "super duper hyper" secure, just like 20 lines of it. So if it's as simple as writing that in C / C++ and using some special interpreter than that would be a relief).

don't waste your time

obfuscation is a constant arms race

Obfuscation is not security

You cannot rely on it

Yeah. I sort of came to the conclusion before I asked here that the encryption/decryption code I'm using will have to be run on a secure server to be genuinely secure for who ever wants to use my program. I'll likely do my best with obfuscation and then add a tick box or something if the user wants a higher level of security. Still thought it was worth asking though in case I didn't research into everything 😄

An executable file is actually really easy to read, you just need an exe parser

uh

sure

ok

if you don't want users to see your source code and the code runs on their machines, then you should use a different language than python

also this. I have no idea what you're doing, but Obfuscation is a waste of time.

Most of my program is just Tkinter code for UI and removing and adding text. I've built a whole encryption and decryption system for that text and it's all come down to about 20 lines out of about 1,000 lines of my code being the one thing that isn't safe to allow a hacker to find (creating a encryption/decryption seed from a stored hashed password). So if I could give the user an option to store their hashed password on a server, instead of their local machine, that would allow for much better security.

Have you ever heard the expression "don't roll your own?"

Nope, but I'm worried I've completely overlooked something now...

I think its fine to play around with making encryption, but people are not for the most part writing their own encryption. Theyre using libraries other people who dedicate their lives to encryption have written already and take into account more things that you could ever account for on your own without their experience.

https://security.stackexchange.com/questions/18197/why-shouldnt-we-roll-our-own

The way mine works is essentially taking the letter A for example and assigning 1024 random characters to that letter using a seed, generated from the password you put in when initialising the software. As far as I can think of, I don't think that can be brute forced or hacked through, at least the idea of it (like decrypting an ancient language without context, kind of impossible). I can basically guarantee someone would be about to find the data in memory or something though. If someone can do that that though I'd just give em the data tbh.

It's mainly a personal project, that can be given to friends or people who ask for it, so I'm not going for state of the art security, just good enough for me, which is more of "it depends on the effort it takes to implement".

lol wut

getting it out of memory is trivial

all you need is gdb. So the encryption isn't even doing anything?

anybody can do it. You don't need to be a hacker to use a debugger

1024 "random" characters is only as secure as the seed too. I bet you're using mersenne's twister, I hope to god it was urandom seeded.

something something dunner krueger

anyways can you clarify how your encryption/decryption system works

b/c im not really sure how you're reversing "1024 random characters"

and where is this "encrypted" data being stored/transmitted anyways

I basically guarantee I'm overlooking a stupid amount of things. I've so far spent most of my time doing the UI and stuff, but I plan to try and think through as much as I can as hard as possible later on. But yeah, getting it from memory is easy (but I have no clue where to start in defending against that).

@fading plaza Should I send some code and explanation or just an explanation?

code would be nice

(but I have no clue where to start in defending against that).
Nowhere

You literally can't.

Which is why it shouldn't be relied on

anyways getting it from memory is irrelevant, because that would mean the attacker already has access to the target's computer

which is game over already

wait, wtf is your threat model here?

^

If you put it that way then tbh that server idea isn't worth it, as that was to try and stop them skipping the password entering to decrypt the code I'll send in a sec.

Is the person who owns the computer not the "attacker"?

If they aren't, then why do you need obfuscation lol

In case their computer gets compromised, just as a precautionary step to make it even that slight bit more time consuming to get at

?????????????????

where

is this encryption used

So if all you want is to protect against theft, encrypt at rest.

Obfuscation provides zero security

encryption at rest is unbreakable if done right

but not using your algo

use xchacha20

or aes

or gpg

or literally any other (well-known secure) cryptosystem

wait a minute

a key manager is a good example of a secure use of encryption at rest. There are plenty which are completely open source, (NO OBFUSCATION) and yet are still secure.

Research how those work.

are you encrypting the passwords client side

then sending it to the server

for it to store

or what

So this is a password manager for context and this code is spread throughout a couple .py files, in case some things don't line up, that is why. (this as opposed to all my passwords being on a text file, so I know I could purchase one but I'd like to have my own version)

REMOVED

LOL it literally is a password manager

A password manager isn't secure because of obfuscation

it's secure because of cryptographic entropy encrypting the data at rest

wait this is literally a monoalphabetic substitution cipher

Yeah I know. That was just to stop any like 12 year olds from fiddling with it. Definitely not to secure it.

just do this:

step 1) generate a random secret key

step 2) derive a secret key from the master password which unlocks the store

step 3) encrypt the passwords at rest using the secret key from step 1

step 4) encrypt the secret key from step 1 at rest with the secret key from step 2

reason for doing it this way is so that once you have the key store unlocked you can change the password without having to decrypt and reencrypt everything in the store.

Instead, you generate a new derived key from the new password and reencrypt the secret key with it.

Also allows you to generate backup codes, etc

You can have as many valid passwords as you want, and you just encrypt the secret key with a derived key from each.

use pynacl for your secret keys and derived keys

ez

and good

I think I get what you mean, definitely can't think of how to do this in code atm as it's really late for me, but I'll copy what you've said and try to use it when I come around to making sure my stuff is secured properly!

Does that system I made have any merit to it though? Because I'd definitely be fine with using a less efficient version of encryption and decryption (with it being already coded and all) than fully remaking it for a more efficient one.

it's not about efficiency

but the issue with yours is that it's just a substitution cipher

Which I'm guessing isn't very secure by the way you word that 😄

it's not at all secure. Even making remotely useful cryptography is unfortunately very, very, very hard.

The good news is people like us don't have to. Encryption algorithms are worked on by people who spend years studying and researching the math.

Even if you copy an existing algorithm, implementing an encryption algorithm securely is still difficult

Everyone who uses encryption for a project they want to write uses a library for it. It's not something you do yourself

The only time to write your own encryption for a project is if you're writing an encryption library.

Yeah I probably should just go with a tried and true method. I'll have to think about that because until about 10 minutes ago I was very happy with my design (which is probably what I get writing it before I looked into all of this stuff)

I mean it is fun to fool around with - no issue with that

I encourage you to read a bit about modern cryptography and what makes it secure or not. It's pretty interesting, maybe you'd be interested in studying it for real

Serious Cryptography is a decent book if you like books

Definitely will. Just the bit I've read so far trying to keep up with some of the terms have been really interesting.

Do you think it's worth just trying to use a tried and tested method, or just keeping the one I've made? I don't exactly have dozens of hackers trying to infiltrate my data, but I also would like to not be ignorant about it and have my stuff stored in a way that's as easy as opening a text file is for a hacker to get into.

Depends

I don't have any experience in the ease of getting through that one I've made (which may be clear), which is why I ask.

If you actually want to store secrets securely then I would just use keepass, which is free and open source if you don't want to pay for a proprietary key manager

If you just want to mess around with writing a key manager, then knowing how to use an encryption library like pynacl is good programming practice.

So I definitely think it's worth rewriting, but I would err away from actually storing anything in it regardless.

As bit more info as far as the existing encryption goes, one problem with a plain substitution cipher (swapping each byte for another byte) is that if you see two bytes in the ciphertext, you know that they came from the same plaintext byte.

So you really only have to guess 256 different values

you can also do frequency analysis

Since you know two bytes in the ciphertext came from the same plaintext byte, you can make a graph of how often each ciphertext byte occurs

Then you can potentially guess what the plain text is based on which input bytes are likely to be common.

the 1024 byte tables is also not fully used - only encryptiontable[i] is used, and the number of possible i values is less than 1024

I think I'll look into integrating pynacl into my program since I seriously like the ability to have the password manager in an even bigger program that I can further develop, as a feature. Currently (this'll probably make numerous people in this security section faint but) I've got my passwords in a txt file on my desktop as they're too long to remember and all different (just realised after reading again I already said this). Probably isn't safe to mention that either, but the upgrade from .txt to at least a level of encryption is likely more secure than 70% of people's passwords on the internet. If someone could run stuff on my PC to gain access it'd probably just be a better idea to encrypt everything I own and ransom it off to me anyway as opposed to decrypting my passwords, as they'd probably not realise that I have that on my PC unless they dug through everything.

I suppose the encryption I made isn't the worst. For the frequency analysis and other methods, it's not a 1 way ticket to perfect decryption and would still take hundreds of attempts putting in the wrong guess into an account to get the right one (I think at least). So I'll pat myself on the back for that.. and then swiftly throw it away for a better one.

Ty for the help and info though!

You made something though, so just keep doing that with other things and continue to be open to input from others and you'll do great

Yes, that's what I meant by there is nothing wrong with playing around with it. Just know that you're not going to design the most secure in the world right away if that's what you want to get into. And in the end if what you want is to secure your application, most likely you wont be doing it with your own security scheme.

can you please make me one?

could someone help me with my openCV school project?

Whats your problem to solve?

i have some code that detects people but i need be able to mark some area wich is like no-go zone and it will start alarm or write some text and I dont know how to do it

Get the no-go zone area positions then check each time if a x/y is smaller/bigger than the no-go zone. If it is then use any sound library for making a sound and write text with OpenCV

could you help me with the no go zone?

i never programed and i have no clue how

this seems more appropriate for #❓｜how-to-get-help

I want to take input from keyboard and thrn encode it into a sha256 hash

 x=input("enter string")
y=hashlib.sha256()
y.update(b"((((here i want to use value stored in the variable but it is treating variable name as string and converting it instead))))")

anyone to help()

Update method only supports bytes, not string input. So you need to do something like x=bytes(x, 'utf-8') or whatever first

https://subscription.packtpub.com/register packt free weekend, there's some good python security books on there especially for beginners

Nope, I cannot

Use str.encode to transform from str to bytes

!e

data = "Text data"

import hashlib
h = hashlib.sha256()
h.update(data.encode())
print(h.hexdigest())

@lapis radish :white_check_mark: Your eval job has completed with return code 0.

b890490f85cd5a8569fee6ace83fb89a66a8200a4d64bc49b2a39a9eb0db5cef

ok

!e

!e e

Use #bot-commands to deal with !eval and other commands

ok sorry broo

what is a good hashing algorithum for passwords

bcrypt

do you know of any good modules for bcrypt

https://pypi.org/project/bcrypt/

Hello, I would like to make a proxy that allows each user to help host this one, do you know how I can do so that the user cannot access the request that the proxy does nor modify the code? A bit like Tor

Argon2 is fine too

Hmm, isn't it more #networks thing? Basically when you forward HTTPS traffic then you cannot read HTTP content iirc

hmm, except if I do it wrong (which is highly possible), I get the url of the site and have to make a request, so I have to decrypt

I think if you distribute the cert you can read SSL traffic, but then you have to reencrypt it iirc if you're routing traffic through multiple boxes.

This is why TOR works through socks5, not http

each hop in the route sees only the next destination and the previous hop

Can't really do this with an HTTP proxy

how to hack

what differnece do the linux haredened kernel really make

what type of security do google maintain

is this any function bytes()

Yes, it's a built-in on 3.10 for sure, I think maybe it's to_bytes in older versions (or maybe that's something different)

*** I worked on plan but when cross-colliding with original way there arises different outputs***

see different outputs

Do not add ' when you are typing input

!e

import hashlib
h = hashlib.sha256()
h.update(b"hello")
print(h.hexdigest())

h = hashlib.sha256()
h.update("hello".encode())
print(h.hexdigest())

h = hashlib.sha256()
h.update(b"'hello'")
print(h.hexdigest())

@lapis radish :white_check_mark: Your eval job has completed with return code 0.

001 | 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
002 | 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
003 | d543699194a3343443ab84395c0464b018f12e31df1b5e829d65c4440e90b9a5

thanks @lapis radish

how can python help u securing code

QUESTION

premise: I am creating an DESKTOP(mostly windows) GUI app, that needs to connect to remote storages (currently only nextcloud via webdav) provided by the user and check and download files. I want to implement a way to have it constantly update in the background (every 5 minutes or user specified). I have no access to the remote storage and the main point of the app is to process the files after downloading. I would like to make the configuration as painless as possible and as easy for non-technical people as is possible. The app only communicates with the user specified remote server and only reads from there. It does not call home, has no telemetry and is able to also run completely offline, by providing the files manually.

actual question: What would be the best practice if I want to give the user the option to remember his remote storage login data (username, password)? I would like to make it in a way that remembers it between sessions, if it would be only for the current session I could just store it in the environment probably.

Is there a best practice for that?

some thoughts that are probably unsafe:

• Should the app create an env file in the Appdata directory with the credentials?

• Store the credentials in clear text inside its sqlite db?

• Store the credentials in clear text inside its .ini config file?

• Pickle the credentials?

• store the credentials anywhere put encrypt them? (but isn't this useless as the key would have to be stored inside the app and be accessible?)

• am I overthinking it for an desktop app?

Basically you shouldn't store storage login data in plaintext - so you have an answer that you need to create some local encrypted storage (encrypted database or even simple text file) which will store data in secure way

but as my app has to decrypt it to use it again, won't this make the decryption useless because the app has to have the decryption key in the source code?

for info: My app stores everything it stores on the users computer. It does not call anywhere except the user provided remote storage.

User need to put some passphrase before doing decryption

You can always use any other authentication method (like key-file or similar one) but passphrases are simple and it just works

storing that keyfile in the users files-system would be ok?

sorry for those questions, I have almost not experience with security and therefore do not want to reinvent the wheel, but make sure that I am as secure as I can get. Or realize what I want to do is not possible.

thank you for the answers you already given!

You should store this kind of key-file on external storage. I never used this option because passwords are easier to use (for example there can be a problem to attach external storage to mobile device).

I have no problem with your questions, this channel is place where you can talk about beginner things as well as advanced ones too

this would make the app not self contained anymore, sadly.

Will have to think if there is a work around or if I am abandoning the remember thing.

Why you cannot require that user need to provide password?

there is no server

this is an desktop app that gets files from a user provided (currently) nextcloud storage.

I wanted to make it easy as QOL for the user to only have to input the logins once, and have start the application whenever they want and it will auto update the files and process them.

so that they would not have to always provide the credentials when they start the application (as when they go to the nextcloud web interface, they are used to having it autofilled)

Sorry, could you write the accronym out? do not know what this is.

but to connect to different remote servers I have to get it back to plaintext.
so how would I store the key to decrypt it back, if source code is easily accessible in python? Some variation on Hardware ID? or some other enduser specific variable from the os?

The server is user provided I just access via the user provided auth, the application itself is self contained and on purpose does not have a server behind it, only a local sqlite db.

it is fully running on the users system and has no server on its own, and I have no access to the possible servers the user can enter.

think of it like accessing a cloud storage via your browser, the browser has no access to the server, but can still autofill your "stored" credentials.

You can do something secure or easy to use

You don't need username/user ID to protect credentials in local storage

@upper fern check this

Thank you very much!

That's hat I feared, just wanted to make sure that there is no best practice or so for it before facing that reality 😉
thank you again

You're welcome!

Hello guys, I'm new here and I have a simple question
I want to install a piece of software within a docker container on-premise, so that my clients will have it on their computers, now the question is, how can I encrypt/secure my container so that they can't access my source code? something like they could pull the container only to run it not to access the source code

Check PyArmor - you can store obfuscated code in Docker container

beat in mind that the best you can do if you aren't running a thin client is make it kind of annoying

Agree, better way is to distribute binary without source code and the best way to protect your source code is to distribute your software as SaaS

@dawn kite

I always do that, but some clients have this requirement that you should install everything on-premise so I was asking if anyone had to do something like that and what options do I have?

In my company the program is distributed as binary (there are DEB files to make easy installation on Debian-like OS-es) with licence file, maybe you should think about compiling your project (or part of it)

Core functions can be done in Cython for example - then you can just share wheel files without Cython code

You can even host simple PyPI mirror to provide easy installation for your clients

Cython ok, I think that's a really valid option since I'm not sure that they'll have an internet connection all the time, I wanted to be as local as possible. I'm sorry for my requirements 😆
I'll try to go on using Cython a little I hope it's not too hard, any materials or recommendations from your experience?

From my point of view it's fairly easy to port your Python code to Cython - just check official docs. Feel free to ask your Cython-related questions on #c-extensions - there are guys whos are going to help you 👍 They should have more experience in packaging and distributing Cython modules

Man thanks ALOT!!🙏 I will

Good luck!

If you only intend to support Windows, there is the data protection API (DPAPI), a system interface that allows you to have secure and easy-to-use encryption for either the user or machine context. I've never tried to use it from Python, but it seems like there are a couple of Windows libraries that provide interfaces to it.

What is the purpose of using a jwt if any one can decode the information?

it's cryptographically signed, so the authenticity is still assured

can't be modified without changing the signature

But if the jwt is stolen, someone could use it or view contents correct?

I was thinking its hashed like a csrf token.. but it is only encoded and not encrypted

well, they're signed using the private key...

what's to steal?

The signed token is only valid for the client it was issued to

Another client can't alter it

That would break the signature

I did a test

I created a token in Firefox.
Copied the FF token
Opened postman
And access a private endpoint with the copied token

Explain?

The point of a JWT is to publish a record, signed by an authorized party, granting some permissions to some other party

So yes, if you copy a token, you can use the permissions of the token.

You can't modify them

Perhaps I'm using it for the wrong purpose

I'm saving jwt in session for user login

A good hashing algorithm is pbkdf2!! It's handled by hashlib standard library...

PBKDF2 is more a scheme than hash algorithm itself

guys does anybody here doing data anonymisation or de-identification using pandas ?

which is a bigger threat, python, or javascript?

and why

can you elaborate on what this question means?

JWTs are basically session but stored on the client side instead of the server. There's little point to storing a JWT in the session

You can use JWT to handle user login

Like this:

{"login": {"username": "shadykaty"}} <- embed in JWT (signed by the server), send to client.

Then when my browser wants to access a page authenticated as me

It sends this JWT alongside the request.

To authenticate me, the server can do something like this:

1. Server decodes JWT (since the JWT was signed by the server it can't be forged)

2. Server checks if "login" is in the JWT

3. Server accesses jwt["login"]["username"] to see which account is logged in to

4. Server treats client as authenticated as "shadykaty" and serves up my authenticated page.

JWT is basically a session, but store by the client instead of stored by the server

Since a JWT is signed by the server, the server still controls what's contained in it.

Even though the client stores and submits the JWT, the client can't forge JWTs with fake logged-in flags because it can't sign them.

right

I think i'll use JWT for OAUTH with external applications but use simple cookies for user logins