Her: What are you doing over there?
Me: I'm working on cryptographic hash functions
Her: is that really homework?
Me: yes, come look with your two eyes.
Her: ...
Me: crazy stuff, no?
Her: I imagine computer science is really just a lot of boxes and arrows.
Me: *flashback to UML, ERD diagrams, and logic diagrams*
Me: you are not wrong.

By learning the basis of things instead of just using them.
for example I learn cryptographic algorithms behind ssl instead of just using it.

Following a conversation with a fellow devRanter this came to my mind ago, happened a year or two ago I think.

Was searching for an online note taking app which also provided open source end to end encryption.

After searching for a while I found something that looked alright (do not remember the URL/site too badly). They used pretty good open source JS crypto libraries so it seemed very good!

Then I noticed that the site itself did NOT ran SSL (putting the https:// in front of the site name resulted in site not found or something similar).

Went to the Q/A section because that's really weird.

Saw the answer to that question:

"Since the notes are end to end encrypted client side anyways, we don't see the point in adding SSL. It's secure enough this way".

😵

I emailed them right away explaing that any party inbetween their server(s) and the browser could do anything with the request (includingt the cryptographic JS code) so they should start going onto SSL very very fast.

Too badly I never received a reply.

People, if you ever work with client side crypto, ALWAYS use SSL. Also with valid certs!

The NSA for example has this thing known as the 'Quantum Insert' attack which they can deploy worldwide which basically is an attack where they detect requests being made to servers and reply quickly with their own version of that code which is very probably backdoored.

This attack cannot be performed if you use SSL! (of course only if they don't have your private keys but lets assume that for now)
Luckily Fox-IT (formerly Dutch cyber security company) wrote a Snort (Intrustion Detection System) module for detecting this attack.

Anyways, Always use SSL if you do anything at all with crypto/sensitive data! Actually, always use it but at the very LEAST really do it when you process the mentioned above!

Me: I'm super tired, it's the middle of the night and I really should get to sleep already...
Brain: hey hey Condor! I've got this great idea, a cryptographic filesystem-level vault that decrypts into different files depending on what key you give it!!! Let's implement it, all-nighter, what do you think? 🙃

Goddammit brain, that's super interesting but not now!!! I need to sleep ffs 😡

I love how the Keybase Linux client installs itself straight into /keybase. Unix directory structure guidelines? Oh no, those don't apply to us. And after uninstalling the application they don't even remove the directory. Leaving dirt and not even having the courtesy to clean it up. Their engineers sure are one of a kind.

Also, remember that EFAIL case? I received an email from them at the time, stating some stuff that was about as consistent as their respect for Unix directory structure guidelines. Overtyping straight from said email here:

[…] and our filesystem all do not use PGP.
> whatever that means.

The only time you'll ever use PGP encryption in Keybase is when you're sitting there thinking "Oh, I really want to use legacy PGP encryption."
> Legacy encryption.. yeah right. Just as legacy as Vim is, isn't it?

You have PGP as part of your cryptographic identity.
> OH REALLY?! NO SHIT!!! I ACTIVELY USED 3 OS'S AND FAILED ON 2 BECAUSE OF YOUR SHITTY CLIENT, JUST TO UPLOAD MY FUCKING PUBLIC KEY!!!

You'll want to remove your PGP key from your Keybase identity.
> Hmm, yeah you might want to do so. Not because EFAIL or anything, just because Keybase clearly is a total failure on all levels.

Written quickly,
the Keybase team
> Well that's fucking clear. Could've taken some time to think before hitting "Send" though.

Don't get me wrong, I love the initiatives like this with all my heart, and greatly encourage secure messaging that leverages PGP. But when the implementation sucks this much, I start to ask myself questions about whether I should really trust this thing with my private conversations. Luckily I refrained from uploading my private key to their servers, otherwise I would've been really fucked.

Fuck this, fuck that, fuck the buffer, fuck AES, fuck crypto, fuck node-forge, fuck IV and browsers, once I am done with this fucking cryptographic wrapper on both client and server, the first person to say decrypt and Javascript in the same sentence in front of me will get their own dick in their ass. The guy that said mixing computer and crypto was a bad idea was fucking right

Using the company's desktop computers to solve cryptographic puzzles (like mining) on the company's computers while the boss and someone from the IT were asking to have a look on the machine after one guy already snatched my keyboard.

Very scary moment indeed but surprisingly it turned out: the real reason why they came was because a techadmin recently removed a shared system account but some faulty clients kept flooding the servers with outdated login credentials which also triggered mass SMS on the mobile devices.

Luckily I could somehow take an opportunity to remotely call the script which pulled the emergency brake which I prepared to shut down everything. Close call.

Nowadays I think it itsn't worth to take the risk just to do something that could also be done with the own home computer even it takes five times longer.

People seem to like cryptographic puzzles. Well, try this one for size:

b417021dc01b409ad0c21b430a508624

Answer is a sentence in plain english. Space is used, but no punctuation. Post answer to comments. Good luck :D

Java sqlexception stacktrace lvl impossibru

ok, fuck people. i mean the people who talk about things that are a big deal. you don't need to take a course in html/css to build a website, you need documentation.

people act like programming languages are a whole separate literacy. they're not. it is not a big deal, nor an accomplishment of any significance, to learn any language to a basic extent. variables, control flow, functions and scope should not be considered challenging topics, and people should stop bragging about them. i'm pretty sure this is because programming is new. as people, i think when something is new we tend to think of it as more complex and harder to understand. basic programming is not that.

ok that was a tangent from my real point. college is a scam. anyone can learn anything from books and the internet. any time you want to learn about something, go to google, and search "${my topic} site:*.github.io" and you'll have a page about that topic written by someone who is knowledgeable and passionate of the topic. colleges don't teach people how to think like these books/websites do. and i'm fucking sick of people who'd rather see a degree then a portfolio. fuck them shits bro. i can distinct my smart friends because my smart friends speak logically and enjoy becoming smarter. i would take the kid who watches aerodynamics videos on youtube and then built a plane over a kid who studied and got a five on his ap physics exam. watching then doing is better learning than watching and repeating. after all, creativity is not at all measured in our grades, and i'd like to argue that sometimes intelligence isn't even measured. i mean, people can say they're good at math, but the kids who talk about fibinnoci numbers and why there can never be two primes more than 7 (i if i remember properly) integers apart or the ones who prove cryptographic algorithms. i guess what i'm trying to say is the dumb kids aren't dumb and the smart kids aren't smart (well not that) but kids who are passionate and just do something instead of waiting for their degree to do the same thing are the best and brightest. i forgot what i was talking about. sorry it is almost 2 am and i am intoxicated , and i don't believe i got my point across very well either.

Been working on a cryptographic virtual filesystem. But getting a '/0' character at the end of each block! Been debugging since ages! Any ideas or suggestions where that might be coming from?

I've been reading about quantum computing in finance and other applications (fascinating read, althought really dense), but one question now won't stop bugging me.

Context:
1) Blockchain applications are based on NP-Hard asymmetric cryptographic problems, and how hard it is to solve such problems in a really short time.
2) So called "Web3.0" is based mostly on Blockchain applications, but would still need significant advances in order to be practical.
3) Affordable and practical cloud-based quantum computing is not so far in the future, and could be used to crack most NP-Hard problems in short (polynomial) time.
Thus, my question: Is Web3.0 obsolete before it even begun?

I mean, if quantum computing takes on fast enough, it could snuff out Blockchain applications by giving those a shelf life so short it wouldn't be worth to delevolp for it. It would be like announcing the iPhone 14 and the 15 on the same breath, saying the 15 is only a quarter away - why would anyone bother with the born-obsolete tech?

Crypto. I've seen some horrible RC4 thrown around and heard of 3DES also being used, but luckily didn't lay my eyes upon it.
Now to my current crypto adventure.
Rule no.1: Never roll your own crypto.
They said.
So let's encrypt a file for upload. OK, there doesn't seem to be a clear standard, but ya'know combine asymmetric cipher to crypt the key with a symmetric. Should be easy. Take RSA and whatnot from some libraries. But let's obfuscate it a bit so nobody can reuse it. - Until today I thought the crypto was alright, but then there was something off. On two layers there were added hashes, timestamps or length fields, which enlarges the data to encrypt. Now it doesn't add up any more: Through padding and hash verification RSA from OpenSSL throws an error, because the data is too long (about 240 bytes possible, but 264 pumped in). Probably the lib used just didn't notify, silently truncating stuff or resorting to other means. Still investigation needed. - but apart from that: why the fuck add own hash verification, with weak non-cryptographic hashes(!) if the chosen RSA variant already has that with SHA-256. Why this sick generation of key material with some md5 artistic stunts - is there no cryptographically safe random source on Windows? Why directly pump some structs (with no padding and magic numbers) into the file? Just so it's a bit more fucked up?
Thanks, that worked.

Hey all. So I'm a bit of an aspiring developer/engineer. I am in highschool right now and am getting to the point where I should start looking at colleges. Ive wanted to do something computer related and for a while now ive had my heart set on some sort of security engineer/tech/researcher what have you. But it has been pointed out to me that computer sciences often require several high level math courses namely Calc. Problem being I'm pretty bad at Calc and haven't been able to do too well.

I'm not too sure what I should do. I'm struggling with my highschool calc classes and and fear that college level course will just go over my head. Ive never had issues with math before until I got to Calc. Ive got some of the basics of cryptography such as hashes and cryptographic alorithms but thats about it. Do computer science degrees really rely that heavily on Calc?

Do you know a hash-function (doesn't need to be cryptographic) that I can implement, without fixed size integer-types?
I already searched for a while, but couldn't find an actual fit.

It's for implementing a hasher, used by a hashmap.

!dev, sort of

So, apparently my Play Store settings get reset when I restart my phone, so Google decided to update Google Keyboard to Gboard for me (and god-fucking-dammit, that shit is absolutely useless to me). I can find older .apks on websites like APKmirror for Google Kinstall but they won't install, saying that "it seems like the package is corrupt". I'm not sure exactly why this might be happening, but according to APKmirror’s FAQ it might have something to do with cryptographic signatures or that a newer version is already installed on the device. Gboard is disabled and I assume that should be enough for that, and I don't know if it would even detect it as the same app in the first place, so my best guess is that it’s got to do with the former which is why I'm turning to you guys.
Does anyone have advice for a solution? I don't have any problems getting another keyboard either if needed, but I would really like something that both has separated layouts per language, as well as a similar swipe-to-type function, since excessive tapping really aggravates my CTS. :/ Any suggestions?