So I just wrote a Ruby script to encrypt some files in AES.

I started it, it's designed to show the key when it's finished. It encrypted 7 files, then Kaspersky pops up and deletes my entire Ruby installation.

okeh

Dance like no one else is watching. Encrypt like everyone is.

Had a conversation with someone a little while ago. I opened my email app (TutaNota) and he asked what the hell that email thingy was. Explained the encrypted/privacy reasons.

"Why would you encrypt everything?"

Because I have stuff to hide. Do you?

"Nahh I just use outlook, I have nothing to hide".

Told him to email me all his usernames/passwords, bank statements, porn preferences, emails, messages etc etc.

"But that's private data!".

Exactly.

"But I thought you meant like crime/illegal stuffs etc"

Nope. I just asked if you had anything to hide, you interpreted that as having anything non-lawfully to hide. I never even asked anything in relation to non-lawful stuff.

Because, having something to hide doesn't mean it's criminal/illegal, it means you'd like to keep that stuff private.

Dance like no one's watching, encrypt like everyone is.

When I was in my second semester of college I was tasked with creating a file encrypt/decrypt program. Take in normal textfiles and spit out a new random text and symbols file. I worked on it for two weeks and read up on all different encryption types and stuff. I was so excited when it was done. After it was done compiling I tried it out on its own source code. Encrypto.c and named the output file Encrypto.c 😰 The next thing I did was google " best version control and how to use it."

Dance like no one's watching. Encrypt like everyone is.

Happened a few weeks ago but still awesome.

Me and a good friend have a website together but we don't monitor it too much.
He studied with me in the same class but went towards frontend/apps where I chose backend/servers/security. He knows how to do basic Linux stuff but that's about it.

We were at a party when he noticed that our site was offline. Walked over to me (because I manage the server) to notify me so I could look into it said I'd look into it (phone):
*visits site: nothing*
*online dig tool: got the server ip*
*remembered this one didn't have pubkey authentication - after three passwords attempts I'm in*

"service apache2 status"
*service doesn't exist*
*right, migrated this one from Apache to nginx....*
"history"
*ah, an nginx restart probably suffices...*
"service nginx restart"

BAM, site is reachable again.

*god damnit, lets encrypt cert expired...*
"history"
*sees command with certbot and our domain both in one*
"!892"
*20 seconds later: success message*
*service nginx reload*

BAM, site works securely again.

"Yo mate, check the site again"

Mate: 😶 w-w-what? *checks site and his watch* you started less than two minutes ago...?
Me: yeah..?
Mate: 😶 now this is why YOU manage our server and I don't 😐

His face was fucking gold. It wasn't that difficult for me (I do this daily) but to him, I was a God at that moment.

Awesome moment 😊

When someone beats the level of stupidity you thought was possible.

No, when you request a Let's Encrypt certificate, you DON'T fill in YOUR OWN NAME in the "Common Name" field 🤦

Also, it explains right next to the fucking field that non-experienced users SHOULDN'T ALTER THE FUCKING VALUE.

😷

|￣￣￣￣￣￣|
| backup + |
| encrypt all |
| the things |
|＿＿＿＿＿＿|
(\__/) ||
(•ㅅ•) ||
/ 　 づ

|￣￣￣￣￣￣|
| also test all |
| ur backups |
| so u don't |
| lose all ur |
| things |
|＿＿＿＿＿＿|
(\__/) ||
(•ㅅ•) ||
/ 　 づ

Dance like noone is watching.
Encrypt like everyone is.
Sudo like you have backups.
Tag like you're a SEO.
Vim like you know how to exit.
Ticket frontend like you're the project manager.
Commit like saying "fuck you" in the message is appropriate.
Alert like you would use console.log
Design like you know CSS.
Comment like you aren't the only dev.
Code like PHP isn't outdated.

And finally:

Try to work like you know how to quit devrant.

Let's Encrypt and their free (wildcard) certificates. Simply great!

Started talking with someone about general IT stuff. At some point we came to the subject of SSL certificates and he mentioned that 'that stuff is expensive' and so on.

Kindly told him about Let's Encrypt and also that it's free and he reacted: "Then I'd rather have no SSL, free certificates make you look like you're a cheap ass".

So I told him the principle of login/registration thingies and said that they really need SSL, whether it's free or not.

"Nahhh, then I'd still rather don't use SSL, it just looks so cheap when you're using a free certificate".

Hey you know what, what about you write that sentence on a whole fucking pack of paper, dip it into some sambal, maybe add some firecrackers and shove it up your ass? Hopefully that will bring some sense into your very empty head.

Not putting a secure connection on a website, (at all) especially when it has a FUCKING LOGIN/REGISTRATION FUNCTION (!?!?!?!!?!) is simply not fucking done in the year of TWO THOUSAND FUCKING SEVENTEEN.

'Ohh but the NSA etc won't do anything with that data'.

Has it, for one tiny motherfucking second, come to mind that there's also a thing called hackers? Malicious hackers? If your users are on hacked networks, it's easy as fuck to steal their credentials, inject shit and even deliver fucking EXPLOIT KITS.
Oh and you bet your ass the NSA will save that data, they have a whole motherfucking database of passwords they can search through with XKeyScore (snowden leaks).

Motherfucker.

My company contracted a 3rd party to do an internal system for us...
We only knew about it when it was almost done and we got the code... Oooooo boy.... What a fucking shit they did and got paid for...

They have a encryptPassword() and decryptPassword() functions...

What they do you may ask?
Well...

Encrypt: for loop that reverse the string and base64 it 5 times...

Decrypt: the opposite...

That's how they store passwords....

Our intern snapped at a company meeting when they where talking about maintaining it 😂😂

I encrypt passwords with Base64

Wanted me to encrypt CSS with XML

We're using a ticket system at work that a local company wrote specifically for IT-support companies. It's missing so many (to us) essential features that they flat out ignored the feature requests for. I started dissecting their front-end code to find ways to get the site to do what we want and find a lot of ugly code.
Stuff like if(!confirm("blablabla") == false) and whole JavaScript libraries just to perform one task in one page that are loaded on every page you visit, complaining in the js console that they are loaded in the wrong order. It also uses a websocket on a completely arbitrary port making it impossible to work with it if you are on a restricted wifi. They flat out lie about their customers not wanting an offline app even though their communications platform on which they got asked this question once again got swarmed with big customers disagreeing as the mobile perofrmance and design of the mobile webpage is just atrocious.

So i dig farther and farthee adding all the features we want into a userscript with a beat little 'custom namespace' i make pretty good progress until i find a site that does asynchronous loading of its subpages all of a sudden. They never do that anywhere else. Injecting code into the overcomolicated jQuery mess that they call code is impossible to me, so i track changes via a mutationObserver (awesome stuff for userscripts, never heard of it before) and get that running too.

The userscript got such a volume of functions in such a short time that my boss even used it to demonstrate to them what we want and asked them why they couldn't do it in a reasonable timeframe.

All in all I'm pretty proud if the script, but i hate that software companies that write such a mess of code in different coding styles all over the place even get a foot into the door.

And that's just the code part: They very veeeery often just break stuff in updates that then require multiple hotfixes throughout the day after we complain about it. These errors even go so far to break functionality completely or just throw 500s in our face. It really gives you the impression that they are not testing that thing at all.

And the worst: They actively encourage their trainees to write as much code as possible to get paid more than their contract says, so of course they just break stuff all the time to write as much as possible.
Where did i get that information you ask? They state it on ther fucking career page!

We also have reverse proxy in front of that page that manages the HTTPS encryption and Let's Encrypt renewal. Guess what: They internally check if the certificate on the machine is valid and the system refuses to work if it isn't. How do you upload a certificate to the system you asked? You don't! You have to mail it to them for them to SSH into the system and install it manually. When will that be possible you ask? SOON™.
At least after a while i got them to just disable the 'feature'.

While we are at 'features' (sorry for the bad structure): They have this genius 'smart redirect' feature that is supposed to throw you right back where you were once you're done editing something. Brilliant idea, how do they do it? Using a callback libk like everyone else? Noooo. A serverside database entry that only gets correctly updated half of the time. So while multitasking in multiple tabs because the performance of that thing almost forces you to makes it a whole lot worse you are not protected from it if you don't. Example: you did work on ticket A and save that. You get redirected to ticket B you worked on this morning even though its fucking 5 o' clock in the evening. So of course you get confused over wherever you selected the right ticket to begin with. So you have to check that almost everytime.

Alright, rant over.
Let's see if i beed to make another one after their big 'all feature requests on hold, UI redesign, everything will be fixed and much better'-update.

So the new mass surveillance law will be going into effect from the 1st of January.

Of course, since I'm very keen on my security/privacy, I'm going to implement some precautions.

- A few vps's connecting to tor, i2p and VPN provider so that I can always use a secure connection.

- Setup anti tracker/ads/etc etc shit on the VPS's. Probably through DnsMasq and the hosts file.

- Use Tor browser by default. I've tried this for a while now and damn, the tor network has become way faster than only even a year ago! Some pages literally only take a few seconds to load.

- Wipe my laptop, encrypt the harddrive and at least put QubesOS on it together with probably a few other systems.

- Ungoogle my new phone, use it with VPN by default.

- Get rid of all non encrypted communication services. I think that only leaves me with a few account removals because I haven't chatted unencrypted for nearly a fucking year now.

If anyone has any more ideas, please share!

TGFLE - Thank God for Let's Encrypt

I respect what they're doing, and the certbot they offer.

Project Manager: You used a hash/salt to encrypt the password in our customer database?

Me: Yes.

Project Manager: That's mean we will not be able to see the password?

Me: That's the whole point. Why would you want to see what password customer is choosing?

Project Manager: Change it. Use random encryption method.

One of the quotes that applies to me

You, stupid fucking game, have just sent me my new password in plain text via email?

"the password is encrypted and cannot be sent again"???
So… you send the password in plain text, and only then encrypt it, right?
But it's still in plain text in your email logs, fucking bastards.

Hey @linuxxx
Why do you use Let's Encrypt now again? ;)

Pro tip: if you encrypt your message with ROT13 twice, the security is also doubled

Privacy & security violations piss me off. Not to the point that I'll write on devRant about it, but to the point that coworkers get afraid from the bloodthirsty look in my eyes.

I know all startups proclaim this, but the one I work at is kind of industry-disrupting. Think Uber vs taxi drivers... so we have real, malicious enemies.

Yet there's still this mindset of "it won't happen to us" when it comes to data leaks or corporate spying.

Me: "I noticed we are tracking our end users without their consent, and store not just the color of their balls, but also their favorite soup flavor and how often they've cheated on their partner, as plain text in the system for every employee to read"

Various C-randomletter-Os: "Oh wow indubitably most serious indeed! Let's put 2 scrumbag masters on the issue, we will tackle this in a most agile manner! We shall use AI blockchains in the elastic cloud to encrypt those ball-colors!"

NO WHAT I MEANT WAS WHY THE FUCK DO WE EVEN STORE THAT INFORMATION. IT DOES IN NO WAY RELATE TO OUR BUSINESS!

"No reason, just future requirements for our data scientists"

I'M GRABBING A HARDDRIVE SHREDDER, THE DB SERVER GOES FIRST AND YOUR PENIS RIGHT AFTER THAT!

(if it's unclear, ball color was an optimistic euphemism for what boiled down to an analytics value which might as well have been "nigger: yes/no")

Dear Prof,

One does not simply encrypt the exam tips and give it to the students in a computer security introductory module.

Sincerely,
Disgruntled Undergraduate

This is both creepy and useful at the same time.

Them: "Could you send the password in an encrypted mail?"
Me: "Yea sure, what's your GPG public key?"
Them: "What's that? Can't you just encrypt it?"
Me: "Nvm, do you have Signal?"

Last year, a customer bought a very expensive Symantec certificate for their website (that is not hosted by us).

They got the certificate and everything seemed nice. We got paid and all everything.

And yesterday, the customer called and said that their certificate has stopped working. I thought "that is strange" so I visited their site and what I saw was horrible.
The site has used and still used a Let's Encrypt certificate. The webdevs they have had not bothered to install the very expensive Symantec certificate for $1500...

Had a discussion with a developer about security. His software transfers all user data (password and files) unencrypted, so anyone can grab them with wireshark. I told him that this is a severe issue. He said no its no problem because if you get hacked its your own fault, because you probably used an insecure network. NO ! YOU FUCKING MALADJUSTED SHEEP-MOLESTING OBJECT OF EXECRATION, YOU SHOULD ALWAYS ENCRYPT SENSITIVE USERDATA NO MATTER WHAT NETWORK YOU USE. FUCKING KILL ME ALREADY.
Not implementing encryption is one thing but then acting like its no problem is a fucking nother one. Why do people not understand that security of userdata is important???

!rant && sarcasm

For a long time now I've been trying to convince people to use secure communication. I'm used to getting called "paranoid", but the killer phrase always was (and still is): "Why do you want me to encrypt my communication, I HAVE NOTHING TO HIDE, so I don't care who's reading it" - "It's not about hiding something, it's about private stuff staying private" - "Yeah, whatever"

"I have nothing to hide". That always killed the conversation... until I asked them to hand me their phones, unlocked, for 5 minutes.

"No" - "Why? I thought, you had nothing to hide and don't care who's reading it?" - "Uhmmm..."

More and more people around me are popping up in my Signal contact list.
Looks like they suddenly care a lot about private stuff staying private </sarcasm>

Downloaded Kubuntu because i couldn't seen to be able to boot from a freshly created KDE Neon bootable usb.

Installed it onto my netbook (Lenovo Thinkpad X121E) and it worked great!

But just the fact that somehow the installer froze when trying to setup hdd encryption kept bugging me.

Took a random flash drive which was laying around and put it in to see what would happen. KDE Neon booted just like this and everything worked very well with hdd encryption.

I now have a very secure netbook 😊

😐😓 oh shit!

Totally forgot 😳

Happy birthday Lets Encrypt 😁🤓😆
(just about a week late... 😅)

So there is a ransomware that after infecting a device checks its geolocation. If the device is in Russia it does not encrypt anything and is harmless.

I wonder which country is this malware from...

Storing passwords in plain text.

To be fair, it was a feature requested by the client, but still...

At least encrypt it man.

Just saw a shirt:
"Dance like nobody is watching. Encrypt like everyone is."

lol

Refreshing the Let's Encrypt certificates, one of them wasn't applying properly.. couldn't find the issue for like 15 minutes...

Eventually I realized that I was refreshing the wrong domain 😅

Let's Encrypt-- Opinions?

Lets encrypt!

No biggie, just forgot to renew my lets encrypt certs T_T

today i was asked to encrypt a public key, because "it's sensitive info".

a PUBLIC key.

smh

it's not even hard (literally 1 line of code), but come on...

I just read the rant: "I use base64 to encrypt my passwords". Found it hilarious!

But I can't believe the amount of people taking it seriously in the comments section! I see just one of these possible explanations.

A) They want to show off
B) They are unable to detect sarcasm
C) They have mastered trolling and I'm stupid

In case it's C, wouldn't this rant be considered as reverse trolling? 😎

ssl isn't free if you have to buy a domain

Might be nothing for others, but I finally published my Vue website with the following setup:
1. Vue inside docker
2. Nodejs API inside docker
3. MongoDB inside docker
4. Nginx as reverse proxy
5. Let's Encrypt

6. NO I WILL NOT SHARE THE LINK, don't want to be hacked lol and it is for personal use only.

But I'd love to thank devRant members who have helped me reach this point, two months ago I was a complete noob in Vue and a beginner in NodeJs services, now I have my own todo website customized for my needs.
Thank you :)

Can https be decrypted easily?
(Or even by spending some time)
Plus what other security methods banks apply to prevent theft of sensible data?
Do they encrypt data using thair own private key thet is changed automatically?

Zoom’s CEO says he won’t encrypt free calls so Zoom can work more with law enforcement:

“Free users for sure we don’t want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” Yuan said.

I was working in a manufacturing facility where I had hundreds of industrial computers and printers that were between 0 and 20 years old. They were running on their own clean network so that someone has to be in the manufacturing network to access them. The boss announced that the executives will be pushing a “zero trust” security model because they need IoT devices. I told him “A computer running Windows 98 can’t be on the same VLAN as office computers. We can’t harden most of the systems or patch the vulnerabilities. We also can’t reprogram all of the devices to communicate using TLS or encrypt communications.“ Executives got offended that I would even question the decision and be so vocal about it. They hired a team to remove the network hardware and told me that I was overreacting. All of our system support was contracted to India so I was going to be the on-site support person.

They moved all the manufacturing devices to the office network. Then the attacks started. Printers dumped thousands of pages of memes. Ransomware shut down manufacturing computers. Our central database had someone change a serial number for a product to “hello world” and that device got shipped to a customer. SharePoint was attacked in many many ways. VNC servers were running on most computers and occasionally I would see someone remotely poking around and I knew it wasn’t from our team because we were all there.

I bought a case of cheap consumer routers and used them in manufacturing cells to block port traffic. I used Kali on an old computer to scan and patch network vulnerabilities daily.

The worst part was executives didn’t “believe” that there were security incidents. You don’t believe in what you don’t understand right?

After 8 months of responding to security incident after security incident I quit to avoid burning out. This is a company that manufactures and sells devices to big companies like apple and google to install in their network. This isn’t an insignificant company. Security negligence on a level I get angry thinking about.

Guys Quick Question 2 :

Should I Dance like no one is watching
and Encrypt like everyone is ?

Or do the opposite ?

Yesterday evening I began working on an SSL proxying system for dynamic domain names using Let's Encrypt. I finished just a few hours ago and it's working flawlessly!

tl;dr:
The Debian 10 live disc and installer say: Heavens me, just look at the time! I’m late for my <segmentation fault

—————

tl:
The Debian 10 live cd and its new “calamares” installer are both complete crap. I’ve never had any issues with installing Debian prior to this, save with getting WiFi to work (as expected). But this version? Ugh. Here are the things I’ve run into:

Unknown root password; easy enough to get around as there is no user password; still annoying after the 10th time.

Also, the login screen doesn’t work off-disc because it won’t accept a blank password, so don’t idle or you’ll get locked out.

The lock screen is overzealous and hard-locks the computer after awhile; not even the magic kernel keys work!

The live disc doesn’t have many standard utilities, or a graphical partition editor. Thankfully I’m comfortable with fdisk.

The graphical installer (calamares) randomly segfaults, even from innocuous things like clicking [change partition] when you don’t have a partition selected. Derp.

It also randomly segfaults while writing partitions to disk — usually on the second partition.

It strangely seems less likely to segfault if the partitions are already there, even if it needs to “reformat” (recreate) them.

It also defaults to using MBR instead of GPT for the partition table, despite the tooltip telling you that MBR is deprecated and limited, and that GPT is recommended for new systems. You cannot change this without doing the partitions manually.

If you do the partitions manually and it can’t figure out where to install things, it just crashes. This is great because you can’t tell it where to install things, and specifying mount points like /boot, /, and /home don’t seem to be enough.

It also tries installing 32bit grub instead of 64bit, causing the grub installer to fail.

If you tell it to install grub on /boot, it complains when that partition isn’t encrypted — fair — but if you tell it to encrypt /boot like it wants you to, it then tries installing grub on the encrypted partition it just created, apparently without decrypting it, so that obviously fails — specific error: cannot read file system.

On the rare chance that everything else goes correctly, the install process can still segfault.

The log does include entries for errors, but doesn’t include an error message. Literally: “ERROR: Installation failed:” and the log ends. Helpful!

If the installer doesn’t segfault and the install process manages to complete, the resulting install might not even boot, even when installed without any drive encryption. Why? My guess is it never bothered to install Grub, or put it in the wrong place, or didn’t mark it as bootable, or who knows what.

Even when using the live disc that includes non-free firmware (including Ath9k) it still cannot detect my wlan card (that uses Ath9k).

I’ve attempted to install thirty plus times now, and only managed to get a working install once — where I neglected to include the Ath9k firmware.

I’m now trying the cli-only installer option instead of the live session; it seems to behave at least. I’m just terrified that the resulting install will be just as unstable as the live session.

All of this to copy the contents of my encrypted disks over so I can use them on a different system. =/

I haven’t decided which I’m going with next, but likely Arch, Void, or Gentoo. I’d go with Qubes if I had more time to experiment.

But in all seriousness, the Debian devs need some serious help. I would be embarrassed if I released this quality of hot garbage.

(This same system ran both Debian 8 and 9 flawlessly for years)

Am I the only one who's getting more and more aggrevated about how the large youtube channels misinform and make out VPN providers (I am looking at you, Nord VPN, mostly) as the messiahs of the internet? How they protect our data that would otherwise be in incredible "danger" otherwise?

I understand they need clients, and I know most of the YT channels probably do not know better, but... This is misinformation at best, and downright false advertising at the worst...

"But HTTP-only websites still exist!" - yes, but unlike the era before Lets Encrypt, they are a minority. Most of the important webpages are encrypted.

"Someone could MITM their connection and present a fake certificate!" - And have a huge, red warning about the connection being dangerous. If at that point, the user ignores it, I say its their fault.

Seriously... I don't know if Nord gives their partners a script or not... But... I am getting super sick of them. And is the main reason why I made my own VPN at home...

When I just started making things in PHP, I always taught that md5 encryption was the best thing out there.. Once I learned that it was the most easy way to break I changed to SHA1. What were I thinking? I now use a custom generated SALT for each user and encrypt with SHA512, should be safe for a while, right?

Storing DB credentials in a repo that were encrypted using functions... that are in the same repo (both encrypt and decrypt!)...

That moment when it takes 4 hours to automate a task which would otherwise take 15min all 2 months to do manually.

half day gone try to find or remember the password of some SSL/key/encrypt/crt/shit/whatever.

Blaming myself for hours, how could I not save the password somewhere?

#Enter Password:
(I pressed enter, no password).
it works.

I love IT security

Ever encrypt files on a USB drive before?

Ever do that then forget the password you used for the encryption?

Yep... 😭

Guys, lets encrypt.

I have a mate who downloaded encryption software that he somehow managed to use to encrypt almost every system file in windows, now the entire thing is fucked, like how can anyone be that stupid? Like before he even did that he tried encrypting the .exe of the encryption software and guess how that went

Why have I not tried Let's Encrypt earlier? I love it

Yeah!! Waiting!!

When you misspell crypto.randomInt as .ransomInt and accidentally encrypt everything in your company's intranet.

When you spend 6 hours figuring out how to best encrypt/decrypt your unimportant website cookies just because you don't want people to see how bad you are at naming stuff :x

Did anyone else notice how setting up a letsencrypt.org certificate for a domain became a lot easier as this year went on? Certbot + automatic renewal was set up in four commands on my RasPi, I remember it being more difficult to set everything up 🤔

In today's episode of kidding on SystemD, we have a surprise guest star appearance - Apache Foundation HTTPD server, or as we in the Debian ecosystem call it, the Apache webserver!

So, imagine a situation like this - Its friday afternoon, you have just migrated a bunch of web domains under a new, up to date, system. Everything works just fine, until... You try to generate SSL certificates from Lets Encrypt.

Such a mundane task, done more than a thousand times already... Yet... No matter what you do, nothing works. Apache just returns a HTTP status code 403 - Forbidden.

Of course, what many folk would think of first when it came to a 403 error is - Ooooh, a permission issue somewhere in the directory structure!

So you check it... And re-check it to make sure... And even switch over to the user the webserver runs under, yet... You can access the challenge just fine, what the hell!

So you go deeper... And enable the most verbose level of logging apache is capable of - Trace8. That tells you... Not a whole lot more... Apparently, the webserver was unable to find file specified? But... Its right there, you can see it!

So you go another step deeper and start tracing the process' system calls to see exactly where it calls stat/lstat on the file, and you see that it... Calls lstat and... It... Returns -1? What the hell#2!

So, you compile a custom binary that calls lstat on the first argument given and prints out everything it returns... And... It works fine!

Until now, I chose to omit one important detail that might have given away the issue to the more knowledgeable right away. Our webservers have the URL /.well-known/acme-challenge/, used for ACME challenges, aliased somewhere else on the filesystem - To /tmp/challenges.

See the issue already?

Some *bleep* over at the Debian Package Maintainer group decided that Apache could save very sensitive data into /tmp, so, it would be for the best if they changed something that worked for decades, and enabled a SystemD service unit option "PrivateTmp" for the webserver, by default.

What it does is that, anytime a process started with this option enabled writes to /tmp/*, the call gets hijacked or something, and actually makes the write to a private /tmp/something/tmp/ directory, where something... Appeared as a completely random name, with the "apache2.service" glued at the end.

That was also the only reason why I managed fix this issue - On the umpteenth time of checking the directory structure, I noticed a "systemd-private-foobarbas-apache2.service-cookie42" directory there... That contained nothing but a "tmp" directory with 777 as its permission, owned by the process' user and group.

Overriding that unit file option finally fixed the issue completely.

I have just one question - Why? Why change something that worked for decades? I understand that, in case you save something into /tmp, it may be read by 3rd parties or programs, but I am of the opinion that, if you did that, its only and only your fault if you wrote sensitive data into the temporary directory.

And as far as I am aware, by default, Apache does not actually write anything even remotely sensitive into /tmp, so...

Why. WHY!
I wasted 4 hours of my life debugging this! Only to find out its just another SystemD-enabled "feature" now!

And as much as I love kidding on SystemD, this time, I see it more as a fault of the package maintainers, because... I found no default apache2/httpd service file in the apache repo mirror... So...

This is some real shady shit...
I was trying to set my office 365 account we got from school to gmail in my phone and this is what it wants to be able to do. In summary (Dutch screenshots):
- It can disable important safety features,
- Lock me out of my phone at any moment,
- Encrypt all data,
- Or just erase all of it
- And watch me while they do it

Nice.

Encrypt their hard drive

Ten ways to fail at public key cryptography, Today:

When encrypting a file for your coworker, encrypt for your own key instead of his/hers

A conversation between an offshore developer and his manager at a fortune 500:

I'm a software developer and the company I work for is a vendor for $manager's and $offshore_dev's company. They provide endless hours of entertainment/terror. Recently, we've been trying to convince them that they need to stop sending sensitive information plaintext over HTTP and set up TLS/HTTPS which has led to tons of fun conversations such as this one they had during a conference call:

* $manager: "Did $offshore_dev implement TLS1.2?"
* $offshore_dev: "Yes, we enabled a parameter in the code to enable TLS1.2 in the code but according to $me's email, this requires HTTPS in order to work."
* $manager: "No this works, we're using TLS in $other_application right now."
* $offshore_dev: "Well, $manager, it's implemented but it currently doesn't encrypt anything as such."
* $manager: "Okay, HTTPS is in the roadmap in the next quarter, we can move forward without this for now."

Decrypt api responses in an iOS app which my “senior” dev thinks it is more secure to encrypt responses in stead of setting up a proper SSL cert (they use plain http to save money 🙄)

They disable the encryption since it does not function as we wanted and set up SSL instead🙄

In an encryption-module, I had a bug, that caused my PC to crash, every time I tried to encrypt something.
Turns out, the loop, that appends
0-Bytes to the string, to make it Block-Cipher compatible,
Had an logical-bug in its exit-condition, that caused it to run infinitely and allocate an infinite amount of memory.

I've finally found a goldmine of accurate job listings that don't include Windows shit-administration... So I'm thinking of sending out applications to all of them. Problem is, as you might recall from my previous rants, I had a flash drive with my GPG keypair on it stolen from me. I still haven't fully replaced the key (I made another one and published it but I'm not using it yet), and because I'm fairly confident that this flash drive's data has never been used (so likely just plugged into Windows and formatted), it's unlikely that I'm gonna bother rotating all of the contents that were on that flash drive.

That said however, my emails now all have signatures underneath them as follows:
Met vriendelijke groet / Best regards,
[my name]

- My outbound email is usually signed with my private key. If not, please don't hesitate to ask me about it through a different communication platform.

IMPORTANT: My keys have possibly been compromised. An encrypted flash drive on which this GPG keypair was stored has been stolen from me. I'm in the process of phasing out and replacing this key. Please do not use it to encrypt any emails to me anymore.

Not entirely sure whether I should remove or keep that last bit. As a potential employer, would you see this as a red flag (he's got encrypted data stolen from him, wtf that's incompetent), or as a nice thing to know that it was properly disclosed (so no secrecy around potential data breaches)? Both seem equally likely so I'm a bit confused about what I should do.

Thought;
Why is there not much support behind the open and free CA "CACert" that has been around much longer then Let's Encrypt?

Because I am very interested in cyber security and plan on doing my masters in it security I always try to stay up to date with the latest news and tools. However sometimes its a good idea to ask similar-minded people on how they approach these things, - and maybe I can learn a couple of things. So maybe people like @linuxxx have some advice :D Let's discuss :D

1) What's your goto OS? I currently use Antergos x64 and a Win10 Dualboot. Most likely you guys will recommend Linux, but if so what ditro, and why? I know that people like Snowden use QubesOS. What makes it much better then other distro? Would you use it for everyday tasks or is it overkill? What about Kali or Parrot-OS?

2) Your go-to privacy/security tools? Personally, I am always conencted to a VPN with openvpn (Killswitch on). In my browser (Firefox) I use UBlock and HttpsEverywhere. Used NoScript for a while but had more trouble then actual use with it (blocked too much). Search engine is DDG. All of my data is stored in VeraCrypt containers, so even if the system is compromised nobody is able to access any private data. Passwords are stored in KeePass. What other tools would you recommend?

3) What websites are you browsing for competent news reports in the it security scene? What websites can you recommend to find academic writeups/white papers about certain topics?

4) Google. Yeah a hate-love relationship, but its hard to completely avoid it. I do actually have a Google-Home device (dont kill me), which I use for calender entries, timers, alarms, reminders, and weather updates as well as IOT stuff such as turning my LED lights on and off. I wouldn"t mind switching to an open source solution which is equally good, however so far I couldnt find anything that would a good option. Suggestions?

5) What actions do you take to secure your phone and prevent things such as being tracked/spyed? Personally so far I havent really done much except for installing AdAway on my rooted device aswell as the same Firefox plugins I use on my desktop PC.

6) Are there ways to create mirror images of my entire linux system? Every now and then stuff breaks, that is tedious to fix and reinstalling the system takes a couple of hours. I remember from Windows that software such as Acronis or Paragon can create a full image of your system that you can backup and restore at any point to get a stable, healthy system back (without the need to install everything by hand).

7) Would you encrypt the boot partition of your system, even tho all data is already stored in encrypted containers?

8) Any other advice you can give :P ?

Am I the only one who thinks OSX is stupidly insecure unless you encrypt the whole disk? I mean, how dumb is it to boot into safe moot and provide a root shell without prompting for credentials?

I need to encrypt some large files at rest and then decrypt them immediately prior to processing.

App and files are on a Linux system (CentOS). App is in C. Machine is controlled by a third party.

What encryption libraries would you recommend? And, is there any clever way of managing the decryption key beyond compiling it in the code and doing some basic obfuscation?

Are they fancy obfuscation libraries out there, for example?

And, the reason I'm not going to SO (well, one reason) is that I don't want to have 50 answers that tell me that's it's impossible to 100% protect data on a machine you don't control. This I understand---just looking for "best effort" solution.

My IT-teacher has a website. Aside from it looking like from 1980 (which is ok), he has a "security js Mail decryption":
In his page there is a <script> with a simple yet custom de/encrypt function. Then his E-Mail is an <a href="javascript:mailto:function('rubberish173848'>private email</a>. (Or something like that)

You can just run this link (open email app and read it) or use the same function and same href in the browser console and read it. It sounds so stupid.

(Yet I figured out he probably doesn't want bots to spam his mail, so maybe I am stupid)

Mozilla really knows how to nudge one to not use email encryption by default.
Since Thunderbird has native support for OpenPGP encryption, i can only chose to encrypt all or no messages by default. There is no opportunistic mode and there are no per-reciepient encryption preferences. The Enigmail addon had both.
So i obviously have gone for encrypt-by-default.

But since then, whenever i want to send a message to the majority of my contacts, i have to manually disable the encryption or get annoyed by the no-key-found dialog.
I thought, i would get the muscle memory to just disable encryption for recipients for wich i don't expect to have a key.
But they also made the GUI so i have to open a dropdown and then click on the right item to do that. All the items basically look the same, as there is no color coding or specific icon for them. The item labels are also too long for unconscious pattern recognition.
So i didn't got that muscle memory.

I now have turned off encryption by default and will probably forget to enable it for some emails wich i actually could send encrypted...

Docker with nginx-proxy and nginx-proxy-le (Lets Encrypt) is fucking awesome!

I only have to specify environment variables with email and host name when starting new containers with web servers, and the proxy containers will automatically make a proxy to the new container, and generate lets encrypt ssl certificates. I don’t have to lift a fucking finger, it is so ducking genius

When nginx decides to just NOT answer to any IPv4 requests, áfter 2 weeks of having it set up for IPv6, just because I updated the Let's Encrypt certificate..

self::facepalm();

Hey fellas, especially you security nerds.

I've had asymmetric encryption explained to me a number of times but I can't get a handle on it because no example actually talks in human terms. They always say "two enormous prime numbers", which I understand, but I can't conceptualize.

Can someone walk me through an entire process, showing your math & work, using some very small, single- or double-digit primes? Such as if I were to encrypt the text "hello world" using prime numbers like 3, 5, and 7

Anyone else use Let's Encrypt? That is the easiest took for SSL yet.

Coolest bug is less of a bug and more of a feature. I've been working on a medical app and I used an open source backend which had almost everything I needed. To be hipaa compliant you have to encrypt all sensitive data - full db encryption was not something this backend was capable of.

So my solution was to encrypt the data on the client side and create a secondary server - that can only be accessed on my app server - to store and retrieve the keys.

If anyone's thinking of working on a HIPAA project - you're welcome

I found out that apache had built-in support ( via a module - mod_md ) for automatic TLS certificate management with Let's Encrypt since October 2017.

Bloody Hell! Why didn't I hear of this sooner?

So, I ran off into my cloud to set up this so-called ManagedDomain ( mod_md ).

Found the module in the package repositories, installed it and started testing it out.
I started writing IfModule conditions under mod_ssl so that I wouldn't have to overwrite my existing TLS configurations ( which was already issued by Let's Encrypt via certbot, by the way ).

After a whole night of twisting and turning with the configurations, it turns out that the module in the package repositories were built for ACMEv1 and that API has been dead for as long as the module has been around.

I had noticed that the module was 'experimental', but I still hoped that they had the packaged the module.

Finally, I cozied back up with certbot. At least, until this so-called mod_md becomes stable and mainstream.
I hope certbot doesn't make a fuss. I'm sure, it got offended that I was trying to cheat it with mod_md.

Maaaan, we all knew it was coming, we were warned, again and again, yet still, when Lets Encrypt's old root CA expired today, we found out a tool we were using to get new certs (Not cerbot, custom wrapper around acme-tiny) included the old root in the chain.

So... A few hours ago, some of our servers started having connection issues.

Great final 3 hours of today. Better luck next time I guess? Still, despite the little hickup, Lets Encrypt still remains as one of the biggest revolutions in the adoption of SSL, they're the good guys.

That moment when you convince your team's project manager to finally encrypt the config files before comitting them to source control..

Malwares are nasty applications, that can spy on you, use your computer as an attacker or encrypt your files and hold them on ransom.

The reason that malware exists, is because how the file system works. On Windows, everything can access everything. Of course, there are security measures, like needing administrator permissions to edit/delete a file, but they are exploitable.

If the malware is not using an exploit, nothing is there to stop a user from unknowingly clicking the yes button, when an application requests admin rights.

If we want to stop viruses, in the first place, we need to create a new file-sharing system.

Imagine, that every app has a partition, and only that app can access it.

Currently, when you download a Word document, you would go ahead, start up Word, go into the Downloads folder and open the file.

In the new file-sharing system, you would need to click "Send file to Word" in your browser, and the browser would create a copy of the file in a transfer-partition. Then, it would signal to Word, saying "Hey! Here's a file that I sent to you, copy it to your partition please!". After that, Word just copies the file to its own partition, signals "Ok! I'm done!", and then the browser deletes the file from the shared partition.

A little change in the interface, but a huge change in security.

The permission system would be a better UAC. The best way I can describe it is when you install an app on Android. It shows what permission the app wants, and you could choose to install it, or not to.

Replace "install" with "grant" and that's what I imagined.

Of course, there would be blacklisted permissions, that only kernel-level processes have access to, like accessing all of the partitions, modifying applications, etc.

What do you think?

>>Server sind für mich "Neuland".<<

I want to switch to a new server with my website. I have a bunch of questions and hope you beautiful people will help me out.

1. I've decided to switch from shared hosting to an virtual server. Therefore I am going to rent the cheapest VS from hetzner.de. is this a good choice?

2. What do I have to care about and what stuff there is to be done in the beginning?

3. The reasons I want to switch are more root accessibility and I want to switch to https. What about that? Is let's encrypt enough?

4. How do I move the server from a to b?

5. What OS should I choose?

6. What about security?

7. Any further advice from experienced people is welcome!

Sry for those noob questions, but I've never been in touch with server work...

void encrypt(...) {
[...]
output.Write(iv);
output.Write(salt);
[...]
}

void decrypt(...) {
[...]
input.Read(salt);
input.Read(iv);
[...]
}

Took me 2 hours to figure out why it kept giving me decryption errors :/

Recently we started to encrypt all our PHP code.
To hide the code that we use to unauthorized people.

A new intern deleted ALL the encrypted and uncrypted files from all the servers (Also our backup server) saying
"I thought it was a Cryptolocker".

Now I can fucking start to find it all back and maybe even recreate our system and fucking crypt everything again.

I am trying to "invent" secure client-side authentication where all data are stored in browser encrypted and only accessible with the correct password. My question is, what is your opinion about my idea. If you think it is not secure or there is possible backdoor, let me know.

// INPUT:
- test string (hidden, random, random length)
- password
- password again
// THEN:
- hash test string with sha-512
- encrypt test string with password
- save hash of test string
// AUTH:
- decrypt test string
- hash decrypted string with sha-512
- compare hashes
- create password hash sha-512 (and delete password from memory, so you cannot get it somehow - possible hole here because hash is reversible with brute force)

// DATA PROCESSING
- encrypt/decrypt with password hash as secret (AES-256)

Thanks!

EDIT: Maybe some salt for test string would be nice

I plan in doing some minor Android app development for a side project when my exams are over (which is in two weeks, yay), but other than using Android on day-to-day basis I'm a total n00b when it comes to development.

I want to write a little app that can communicate with a BLE device. It should encrypt said communication.

I know some python and thought about using Kivy as a frontend since it's cross platform compatible (perhaps I'll make a Linux client, too). But I have no idea whether that's a good idea. Do I absolutely need Java? D:

So - where does one start? Tutorials/books welcome.

I'd like to locally encrypt files before syncing it with the cloud; what's the "best" software available for this?

I'm currently switching to STACK as my cloud service (it's a file hosting service for Dutch people that offers 1TB of free storage).
But I don't feel fully comfortable with them having access to all my personal data.

So I came to the conclusion that it would be best to locally encrypt files before syncing it with STACK. I DuckDuckGo'd but there seems to be a lot of software available for this so I'm not sure which one to use.

Which one could you recommend me? I'd prefer a free software but I'm okay with paying as long as it isn't too expensive.

So, in my second semester of CS I had a class about OS and the way they work. The professor made us do presentations every two weeks (we were basically giving the class...).

For full points we had to have the presentation, an example (video or pictures), and an activity.

My team was one of the last presentations of the first round (iirc there were 5 rounds). I was in charge of the activity, so I decided to create a program to make it fun (and leaned a new language in the way). Thanks to this the professor gave us extra credit because we were the first team that ever did that.

My classmates decided that it was a good idea to follow my idea and a couple of teams started to code their activities too. At the end of the semester almost every team had a program as their activity...
But the professor didn't gave them extra credit because it wasn't a novelty anymore. :D

In another round, my team got as a topic encryption. By the time I was already a Linux user and I knew a thing or two about encryption, so I decided to do the example in real time showing how to encrypt and decrypt using command line. Once again we received extra credit because of it. :D

At the end of the semester the professor offered me a job as a developer, but I couldn't take it since I moved out of the country the next month :(

Does anybody uses Lets Encrypt ? Is it reliable ?

Best way to encrypt a password.
Any language.
Go.

Note to self.. Check how your backup restore works before actually needing it...

Coworker got ransomware to his computer via targeted attack and managed to encrypt about 6000 files on Google Drive share... Which I have backed up. However there are a total of 100k files so total restore is not an option and with 60 users updating things can't do point in time restore either... And thanks to the backup softwares buggy cmd line interface I can't create command line script to restore the files one by one... So in the end I most likely need to restore via sluggish gui one by one...

I fucking hate people who uses complex words to describe something simple.

Describing a frame work

Show-off : "..you can define what objects/tables to expose, what values in that object you want to expose...if you are using some orm, then because you have models defined. Once you update your model, your endpoints get the new model..."
Simpleton : "something like parse..."

Wtf is 'fixedUUID'?

Show-off: "..hardcoded UUID is fixed (constant) value, with format of UUID, hardcoded UUID will be unique value between backend and frontend,
you will need to store it as constant value in your codebase ( we may encrypt/ decrypt it for security reasons)..."
Simpleton : "a secret password only u & I know"

--why whyyyyyyyyyy

Thinking back, it’s pretty terrible how long it took to create my first real development project.

When I was the ages of 13-18 I built websites on and off but I would never consider them good enough. I would literally design a bunch of images and then, using just HTML, put all the images together like a puzzle using exact pixel locations. Might be fine and dandy now but back then it would look great on my monitor but on others it would be an absolute mess.

Anyways, after that I got in college and started learning C++ and did assignments but I don’t count those as my own either. Not until I was 29 (my current age) did I finally develop a program assigned by my internship. Prior to that I always just re-learned C++ over and over again off and on because I had no clue where to go after that.

Apologies for the long intro. So the first development project that I feel is legit at my internship I had to use my companies API to track the amount of time it took for them to encrypt a packet and then decrypt it as well as grabbing the packet and seeing how long the hash was, the letters used in which position and so on. Essentially grab a whole bunch of statistics from their software and then output it to an excel document. It had a menu, and I had to make it work on Windows, Ubuntu, Raspbian, and some other systems on different devices.

I was actually really proud of what I ended up with and they use it to test their new versions and compare and so forth.

Working on implementing a new networking layer for business security requirements...but the requirements were talked about in backdoor "special" meetings; "lowly" implementation engineers aren't allowed in. God knows the engineers implementing the solution don't need to know requirements for what they are implementing 🙃

"Just encrypt everything!"
Oh sure let me just pull out my magic button 🤬

So I thought of applying for masters, mainly coz work's been boring af -_- i'm not having Fun. like. at all.

Masters in CS would need a research topic and the one I was/am interested in is "WebRTC", with the topic being tryyyying to figure out a way to hide the actual Peer IPs and come up with a Standard 2.0 of WebRTC or a derivative standard

I was looking into Research Papers already written on WebRTC to get a feel on what's already been attempted or tried
And omfg the word-vomit :v

The whole paper had 0 substance and their "research" was that "we'll encrypt Packets with SHA256 so it'll be secure" like bruh -_-

Crypto. I've seen some horrible RC4 thrown around and heard of 3DES also being used, but luckily didn't lay my eyes upon it.
Now to my current crypto adventure.
Rule no.1: Never roll your own crypto.
They said.
So let's encrypt a file for upload. OK, there doesn't seem to be a clear standard, but ya'know combine asymmetric cipher to crypt the key with a symmetric. Should be easy. Take RSA and whatnot from some libraries. But let's obfuscate it a bit so nobody can reuse it. - Until today I thought the crypto was alright, but then there was something off. On two layers there were added hashes, timestamps or length fields, which enlarges the data to encrypt. Now it doesn't add up any more: Through padding and hash verification RSA from OpenSSL throws an error, because the data is too long (about 240 bytes possible, but 264 pumped in). Probably the lib used just didn't notify, silently truncating stuff or resorting to other means. Still investigation needed. - but apart from that: why the fuck add own hash verification, with weak non-cryptographic hashes(!) if the chosen RSA variant already has that with SHA-256. Why this sick generation of key material with some md5 artistic stunts - is there no cryptographically safe random source on Windows? Why directly pump some structs (with no padding and magic numbers) into the file? Just so it's a bit more fucked up?
Thanks, that worked.

Dance like no-one is watching,
Encrypt like every-one is!

What's your thoughts on the newly released .app tld? Is it going to be the new .io?
It also seems like Google provides TLS certificates for free to all .app domains. I know there's let's encrypt but I still think that this is great. Google is really pushing a more "Secure" internet.

Well fuck...

Korora 26 finally came out and I wanted to install it on my new laptop. I'd previously put Ubuntu MATE on there, with Cinnamon kind of tacked on, but it wasn't great, mostly because it wasn't Korora.

Unfortunately, Korora (and Fedora) still have a bug in the installer where it will complain if your /boot/efi partition is not on /dev/sda, which in my case it was on my M.2 drive. However, I was able to eventually get it working.

But when I booted it up and tried to log in, it would take me back to the log in screen. I logged into a TTY, where I was reminded that when I had set up my Ubuntu install, I had chosen to encrypt the home folder.

Not knowing how to set up the eCryptFS with an existing encrypted home folder setup, I opted to wipe the drive and reinstall from scratch--I had a backup of most of my files from the Ubuntu installation. However, I lost some very important documents that I'd set up since then.

Fast forward to today where my laptop won't boot unless it is either a.) unplugged with just the battery or b.) plugged in without the battery, with a different power cable from the one I got with the computer.

Thankfully the people responded quickly after I mentioned I was having issues. Hopefully it doesn't get worse...

Am I missing something here? Lets Encrypt auto renews SSL every 90 days....BUT it will fail if you have .htaccess re-direct set up to https. So you would have to switch off the https redirect, manually renew, then switch it back on again. Thats fucking crazy. I can’t find a way round this. The hosting co set this up but are encouraging people to buy one of theirs when the renewal fails. a cunning plot to get more of their own SSLs. Any ideas?

So I apparently forgot to encrypt some parameters when sending error reports from our app to the server.
Which means the server tried to decrypt them but couldn´t and just threw an error...

No error logs for the app this week I guess. Yay!

I need "git reset --hard head~1" for my brain this weekend, to get rid of this week...

Spent a couple hours trying to obtain an SSL certificate to encrypt my site last night... No luck so far. It kept saying it doesn't have access, when I verified that nginx serves to port 443...

My uncle is interestes in security, but personal security, he wants to be more peivate. So he told me he had installed Kali linux and got a course it, so I tried to explain him that this is more of a professional thing... that he needs something else.. and so he asked me: "What do I need, which book can I buy?"

I didn't really know. For me it's common sense to get a NAS, maybe have a laptop that is never connected to the internet, or maybe encrypt trafic encrypt hard disks.

But is there a book for that? You have 30 seconds to shine, how would u respond?

Okay I'm probably going to get flak for this but...

WhatsApp chats are apparently e2e secure. Except when you back them up, right? Why not, when you create a backup (iCloud, google drive, whatever), have the app generate a password protected key pair and use that to encrypt/decrypt the backup?

When restoring the backup, use the password you set for the key et voila! While at rest, that backup is still encrypted.

Or have I missed something completely?

Is there an encryption/decryption algorithm that's guaranteed to have an output of less than 100 chars? Say to encrypt messages less than 50 chars in length

Had a Nas with a single 3tb seagate HDD in it.
It ran well for half a year and it was my main backup and a time machine for my dad.

The time came that my budget was allowing a second drive for redundancy so I powered it off, added the second drive and powered it back on.

😐😓😧😭

The drive did indeed die and yes, it was one of those drives with an extremely high failure rate.

My dad was pretty mad that his backups were gone even though he didn't need them.

So my biggest lesson from this was to always encrypt such drives because dads backup wasn't and my files and such weren't either, so someone could restore our hole life's from the drive.
So I can't Rma that fucker.
Zfs at rest encryption ftw!

By the way, writing this I noticed that I didn't need to power the Nas down to add the second drive....
Ffffffffuuuuuuuuucccckkkkkk.

Another more recent thing was a refurb 4tb we red that I bought used for a bargain.
It reported 2 unwritable sectors but I didn't care for the money.

After about a month, it died.
The interesting part is how it died.
It spinns up, gets detected, you can access the data.
You can copy the data.

But after a few moments of continues load, all operations start timing out and the drive either disconnects completely or the zpool degrades and shuts down.

In the first case, replugging brings the drive back untill it does it again.

On zpool degradation only a reboot brings it back.

Put a fan on it in case it was overheating but that didn't fix it.

I am so done for today. I was trying to get this encryption work in Rust, but no fucking way. If I encrypt data in PHP, it is just impossible to decrypt them in Rust. If I encrypt something in Rust, I can decrypt it anywhere, but not the other way around.
I checked the data hundred times and they are exactly the same in both programs. Also OpenSSL library in Rust is so helpful, that it won't show any error details except that there is an error.
Fuck my life!

How to convince my boss to use Let's Encrypt instead of paid SSL ? So hard.

I recently came across this article with some basic security advices, like use 2fa security key, encrypt your USB keys, don't use untrusted USB chargers / cables / ports (or use a data blocker cable if you need to charge your device). It made me think, how relevant are the USB-related threats and risks today? Do people really still use and carry so many wired USB devices, and just drop or plug them wherever?

The last time I used an USB device to transfer some important data was probably over 10 years ago, and for the love of god I don't know anyone who still carries an USB key with sensitive data with them on a daily basis, much less actively uses it. Besides, whoever still does that probably puts their USB key on the same keychain as their ID / access tag and a bunch of other keys (including a 2fa device if they use one) - they're not going to lose just some sensitive data, they're going to lose authentication and physical access devices as well, and that could turn a small data leak into a full-scale incident, with or without an encrypted USB device.

I'm also not sure about untrusted USB cables and ports, from what I've seen the USB outlets and cables are pretty much non-existent in public places, most places offer wireless charging pads instead (usually built into a hand rest or table surface).

Fucking dot files...
Written a deployment script to reduce the amount of another dude's fuck ups when updating code on the server. Apparently the website executable automatically generated TLS certificates (let's encrypt) and placed them into the local hidden folder.

There is a limit on how many certificates a single domain can generate so... The website is down...

How do y'all approach media-endpoints?
Specially publicly accessible user-uploaded media

Rn I encrypt the path to the media-
/file and expose it, decrypt on the server (returning a relative file-path) which then fetches the file via File.Read and returns it as-is

I put a cache header and works fine

But something in the back of my mind makes me feel it isnt right

Like, normal endpoints and file-read endpoints shouldnt be in the same backend, potentially affecting each other

But since it's just a fun pet project so Im not paying for a 2nd baremetal server as a CDN/media server -.-

Worst case scenario I use it as-is, but would appreciate hearing other approaches

Been wondering about something and can't figure out if I am a retard or a genius 😂.

If MD5 is so outdated and should not be used to store password hashes (let's say for whatever reason you cannot effectively switch to another algorithm) wouldn't it just be easier and more secure to just re-encrypt the hash again, so just MD5 the MD5 hash... in theory, wouldn't that make the hash virtually uncrackable because instead of trying to brute force actual real words, you now have a hash of essentially random characters which have no relation to the others, and even then, suppose you manage to crack the hash, you will get another hash to crack before getting to the password?

Do you guys think that lets encrypt is fine or should I buy a Comodo cert for my personal website?

Have been searching on this topic alot lately, but I cant find any good solution, in my opinion.

I have a system where I want to encrypt some data in the database, so it isn't in plain text, but how would you do it properly?
It has to be decrypted to view the data in the system, but how to manage it?

How can I store the keys in the right way? In my current trial, I have a encryption key and an iv, but wouldn't it be wrong to store the encryption key in the config file?

Can't really see how to grasp this the right way and in the same way have it as secure as possible.
Is it just stupid in general?

Last employer -- a major health care insurance carrier -- had over a million current and former subscribers data in SQL database with no encryption on SSN or other personally identifiable information. I reported this as an issue, and was told that since they had intrusion detection, etc. they don't need to encrypt the data. Guess they have never heard of zero day vulnerabilities or disgruntled employees?

New ad self-service portal too hard to integrate ssl and can't have users send their passwords in plaintext.

Setup apache proxy with ssl in same vpc to encrypt traffic to and from vpc.

All good as long as nobody is in my vpc sniffing traffic...

Quick question, if anyone knows.
Does Wireguard encrypt traffic end-to-end or only between neighbor peers?

!rant

Someone posted a link to a 30-day-security-challenge here on devRant some time ago and I just thought well, why not try to migrate away from the big companies - I've been using OneDrive as my only cloudstorage since the time when it was called SkyDrive and I've been hosting my Emails at outlook (via Live Custom Domains, a service that does not even exist anymore) for about 8 years now. Since I've always been lazy and since exchange activesync is a great feature if you have multiple calendars and want to sync them and your contacts to several devices I never tried to switch but now I am half done with migrating my data to my own nextcloud installation and my emails to my own mail server - since I don't want to loose the exchange functionality I am also setting up Z-Push and oh boy, this thing is bitching around but my webmail is already nicely integrated into nextcloud, IMAP / SMTP is up, configured and secured (still have to mess around with spamassassin as this email adress is floating around the web for about 10 years now). The only things to do is to get Z-Push work with STARTTLS and the card/caldav backend running and then the basic setup should be done.

I am just wondering if someone could hand me over a guide on how to sign / encrypt emails (GPG?)

Trying to install Ubuntu and just wondering which is better?
Encrypt for security
Erase and Install
Use LVM