A scammer called me today. They were saying that harmful files were moved to my computer and they needed to remove them. I don't think they are ever going to call me again.

S = scammer; M = me;

S: this is tech support we need access to your computer because we detected harmful files and need to remove them.
M: oh my! Hold on, let me go to my computer now. How can you access it?
S: we can just use RDP and delete the files. They are in a hidden folder that is encrypted so this Is the only way.
M: oh ok I believe you. Hm... it looks like my son only allows certain IP addresses to access our computers.. I don't know how to disable this so can you just email me your IP address?
S: Sure...

He then sends me his actual IP address... it doesn't even look like a proxy or VPN.

M: oh my I forgot that you need my password to login. It's really long and complicated... can I just email it to you?
S: Sure!!

I then tell him to hold on I have to find it that my "son" stored it somewhere.

At this time I'm taking a photo of my bare ass and attaching it to the email. I then say in the email "Please note what my job title is in my signature.. I just sent the FBI your name, phone number, email, and IP address. Please enjoy my bare ass, you'll see a lot of it in prison."

I got a PGP-encrypted email today, from my wife.
I am so proud

So I just wrote a Ruby script to encrypt some files in AES.

I started it, it's designed to show the key when it's finished. It encrypted 7 files, then Kaspersky pops up and deletes my entire Ruby installation.

okeh

Fucking awesome. The 'encryption backdoor law' in Australia went through!

Now, whenever served with such warrants, companies which are active in Australia will have to pay hefty fines if they don't give encrypted messages to law enforcement in readable form. No matter whether this means just decrypting it with the keys they have or pushing backdoors/inject code into the messaging apps/services in order to extract the contents.

Now let's see how much the big companies really care about their users! (I'd expect them to pull out of Australia but the chance that this'll happen is as tiny as about nothing)

In a meeting after I explained that the user passwords will be encrypted before we save them in the database

Them: "Please don't do that, we don't want to change our clients data"

Me: " so we should save the clear text?"

Them: "Yes"

😒

Had a conversation with someone a little while ago. I opened my email app (TutaNota) and he asked what the hell that email thingy was. Explained the encrypted/privacy reasons.

"Why would you encrypt everything?"

Because I have stuff to hide. Do you?

"Nahh I just use outlook, I have nothing to hide".

Told him to email me all his usernames/passwords, bank statements, porn preferences, emails, messages etc etc.

"But that's private data!".

Exactly.

"But I thought you meant like crime/illegal stuffs etc"

Nope. I just asked if you had anything to hide, you interpreted that as having anything non-lawfully to hide. I never even asked anything in relation to non-lawful stuff.

Because, having something to hide doesn't mean it's criminal/illegal, it means you'd like to keep that stuff private.

'Normal' people when they get a new phone:
- install whatsapp
- install Facebook (or other social media)
- install regular email app

Me:
- Root phone
- Install app ops
- Install Signal
- Install encrypted email services' app
- Install firewall
- Install devRant

Anyone else like me here?

‪I use Linux because I enjoy unexpectedly learning how to mount an encrypted disk after a software update deletes the boot directory... on a Thursday night while other people drink beer.

Story time:

I was once working on a project that dealt with incredibly sensitive financial data.

We needed a client’s database to do a migration.

They wouldn’t send it over the internet because it was too big and they didn’t think it would be secure.

They opt to send it in the post on an encrypted usb drive.

(Fair enough thinks I)

USB drive arrives.
Is indeed encrypted.

MFW there’s a post it note in the envelope with the password on.

MFW this is a billion dollar multinational petrochem company.

MFW this same company’s ‘sysadmin’ and ‘dba’ once complained because a SQL script I sent them didn’t work - they’d pasted it twice and couldn’t work this out from the fucking “table already created” error message management studio was throwing at them.

Had three servers running in prod. For extra security all of them were encrypted (hdd encryption) just in case.
"mate, servers need a quick reboot, that alright?"
Me: yeah sure!
"oh hey they're encrypted, what's the password?"
Uhm.....
😐
😓
😨
😵😨😮😧😫
😲😶😭

Yeah, i also forgot to turn on the backup process...

Facebook publicly announced that it won't build a backdoor into its services for the intelligence agencies as for the latest requests to weaken/remove the encryption.

I can only imagine the intelligence agencies going like this now:

NSA director: Alright, as expected they said no so they won't have more damage to their public image, lets go for plan A 2.0!
NSA employee: Aaaand that is?
NSA director: Serve them a FISA court order requiring them to do this shit anyways but also serve a gag order so they can't tell legally.
NSA employee: Ahh, fair enough, I'll get that rolling. By the way, how did we do this with WhatsApp's encryption again?
NSA director: Oh that one was simple. There's a backup function which nearly everyone uses on either Android/iOS which does plaintext backups to Google Drive/iCloud.
NSA employee: Oh, okay. How do we access that data again?
NSA director: PRISM/XKeyScore!
NSA employee: Right, but then still the issue of how we even collect the encrypted messages from Facebo...
NSA director: PRISM/XKeyScore as well, don't worry about that.
NSA employee: But, how'd we justify this....?
NSA director: We probably never have to as these programs operate outside of the public view but otherwise just call terrorism/pedophelia... BAM, done.
NSA employee: Gotya, let's put this into motion!

So I work in IT for the police. I just received an "unneeded" encrypted smartphone.

I had to reconfigure it, in order to give it to the next policeman. Unfortunately nobody knew the password and there is actually no way to reset this damn thing.Trust me, i did my research.

About 2 days later i receive an angry call by the policeman that should be using the phone by now.

Policemen: "Why is my phone not ready yet?"
Me: "it's encrypted and nobody has the password."
Policemen: "Well just ask the previous owner then!"
Me:"It's a little difficult..."
Policemen: "Why?!?"
Me: "He shot himself."

When someone explains to me that they really care about their privacy and use WhatsApp or signal or other encrypted messaging services and then you see then typing stuff through the GOOGLE KEYBOARD.

Yeah i think they're not understanding something 😆

Da Fuck!?!
Yesterday I found some abnormal activity on my server, someone was trying to brute force my ssh as root since two days! Started raging and installed fail2ban (which automatically bans an IP if it fails to log X times and eventually sends me an email). Woke up this morning to find that a fucking Chinese guy/malware spent the whole night trying to brute Force me!
Fucking cunt! Don't you have any better to do!!
My key is a 32 characters long encrypted key, with the ban he can try 3 passwords /2 hours, good luck brute forcing it you bitch!

For the Dutch people on here, the new surveillance law in short:

- dragnet surveillance, data retention of normal data is a maximum of 3 years, encrypted data up to 6 years.

- secret DNA database, data retention up to 30(!!) years.

- use of 0days without having to report them to the vendors.

- third parties may be hacked to get to main targets; if my neighbor is suspected they may legally hack me in order to get to him/her.
Cleaning up (removing backdoors etc) afterwards is not required.

- sharing unfiltered (raw) data gathered through dragnet surveillance with foreign intelligence agencies is permitted, even if it's to a country which doesn't have as much 'democracy' as this country does.

Decide for yourself if you're voting (at all) against or in favor of this law, I'm voting against :)

We do need a new/reformed law, this one is just too intrusive imo.

Alright people, let's make our own free, decentralized, p2p encrypted Internet.
How does that sound?

The Irish minister Rudd said today (for the second time I think) that 'WhatsApp gives terrorists a safe place to hide and execute their activities. Might be a good idea in the future to ban encrypted chat apps'. (not literally like that but it's a good summary of her points)

Imaginary dialog:

"okay so encrypted chat apps help terrorists and criminals to execute their activities"

"Alright, let's ban water then!"

"Wait what why would you ban water?!? How will ordinary people be able to drink then?"

"Why would you ban encrypted chat apps? How will ordinary people be able to communicate securely?"

😐
😶
😮
😧
😓

A US senator or judge or whatever his title is said today that he wants companies/governments to build a 'responsible encryption' system.

Preferably that would exist out of a big ass database which stores the private keys of citizens so in case a person loses their private key or the government needs access to encrypted content, that is possible.

NOO, WHAT COULD FUCKING POSSIBLY GO WRONG!?!?!

Seriously those kind of people should not be allowed to have the kind of positions they have.

This shit makes me so angry.

So the new mass surveillance law will be going into effect from the 1st of January.

Of course, since I'm very keen on my security/privacy, I'm going to implement some precautions.

- A few vps's connecting to tor, i2p and VPN provider so that I can always use a secure connection.

- Setup anti tracker/ads/etc etc shit on the VPS's. Probably through DnsMasq and the hosts file.

- Use Tor browser by default. I've tried this for a while now and damn, the tor network has become way faster than only even a year ago! Some pages literally only take a few seconds to load.

- Wipe my laptop, encrypt the harddrive and at least put QubesOS on it together with probably a few other systems.

- Ungoogle my new phone, use it with VPN by default.

- Get rid of all non encrypted communication services. I think that only leaves me with a few account removals because I haven't chatted unencrypted for nearly a fucking year now.

If anyone has any more ideas, please share!

Manager: "The password must be encrypted to store it inside the database."
Me: "Great! No problem."
Manager: "Then it must have a copy of the unencrypted password to send it by email."
😐

Got some good news today, Australia's PM (Malcolm Turnbull) doesn't want a backdoor in encryption! All he just wants is "support" from companies to "access" their users encrypted data.

See the difference?

I don't 😒

We have a customer that runs an extremely strict security program, which disallows any type of outside connection to their servers.
In order to even correspond with them via email you must undergo background checks and be validated. Then you sign an NDA and another "secrecy level" contract.

Today they had a problem, I was the one assigned to fix it. I asked for a screenshot.
We already use an encrypted mail service, which runs via a special VPN that has enough layers of protection to slow down a photon to the speed of a snail.
The customer's sysadmin encrypted the screenshot and sent it to me.

I open the screenshot and....
He runs Windows 10, uses Google Chrome and has Facebook's WhatsApp desktop app flashing orange in the tray.

😐😣😫😖

If you like Google algorithms better, you can always just precede your duckduckgo search with !Google
Returns an encrypted Google search

When you've convinced a good number of your colleagues to try out Protonmail then you find out later that they're not using it anymore because it doesn't support the Gmail Android app 😬😬😬

Even if it's supported, WHAT THE FUCK is the point of using e2e encrypted email if you're accessing it using 3rd party apps?

Crap.. got myself into a fight with someone in a bar.

Hospitalized, turns out that my knee is bruised and my nose is broken. For some reason the knee hurts much more than the nose though.. very weird.

Just noticed that some fucker there stole my keychain USB stick too. Couldn't care less about the USB stick itself, got tons of those at home and hard drive storage even more so (10TB) but the data on it was invaluable. It held on a LUKS-encrypted partition, my GPG keys, revocation certificates, server backups and everything. My entire digital identity pretty much.

I'm afraid that the thief might try to crack it. On the flip side, if it's just a common Windows user, plugging it in will prompt him to format it.. hopefully he'll do that.

What do you think.. take a leap with fate and see how strong LUKS really is or revoke all my keys and assume my servers' filesystems to be in the hands of some random person that I don't know?

Seriously though.. stealing a fucking flash drive, of what size.. 32GB? What the fuck is wrong with people?

You, stupid fucking game, have just sent me my new password in plain text via email?

"the password is encrypted and cannot be sent again"???
So… you send the password in plain text, and only then encrypt it, right?
But it's still in plain text in your email logs, fucking bastards.

When you see "Database must be encrypted with SHA1 or SHA2" in software requirements specification....

The question goes straight to @linuxxx.

How secure is Viber? After an update recently, each conversation one starts says it's end to end encrypted.

How true is that?

I have multiple but one of my biggest ones:

Build an entire suite of services which can replace the popular Google/microsoft/facebook (etc) services.

Of course: privacy respecting, preferrably everything possible end-to-end encrypted.

Because fuck mass surveillance and those companies and if I can do anything to fuck them (quite literally) and help people getting to user friendly alternatives, I'll do the best I can.

!rant

IDE or text editors ?
I tbh use notepad++ to work on text files and encrypted files for passwords lol

> be me
> install linux on encrypted drive
> takes 8 hours to fill the drive with fake data so theres no chance of data leakage
> save encryption password to phone
> phone doesnt actually save password
> realize you dont have access to pc anymore
> cry
> reinstall linux

Tutanota (encrypted email service) has a newly designed interface.

I usually don't give a crap about design.

It's so beautiful 😍

I think I'm in love 😱

Them: "Could you send the password in an encrypted mail?"
Me: "Yea sure, what's your GPG public key?"
Them: "What's that? Can't you just encrypt it?"
Me: "Nvm, do you have Signal?"

Following a conversation with a fellow devRanter this came to my mind ago, happened a year or two ago I think.

Was searching for an online note taking app which also provided open source end to end encryption.

After searching for a while I found something that looked alright (do not remember the URL/site too badly). They used pretty good open source JS crypto libraries so it seemed very good!

Then I noticed that the site itself did NOT ran SSL (putting the https:// in front of the site name resulted in site not found or something similar).

Went to the Q/A section because that's really weird.

Saw the answer to that question:

"Since the notes are end to end encrypted client side anyways, we don't see the point in adding SSL. It's secure enough this way".

😵

I emailed them right away explaing that any party inbetween their server(s) and the browser could do anything with the request (includingt the cryptographic JS code) so they should start going onto SSL very very fast.

Too badly I never received a reply.

People, if you ever work with client side crypto, ALWAYS use SSL. Also with valid certs!

The NSA for example has this thing known as the 'Quantum Insert' attack which they can deploy worldwide which basically is an attack where they detect requests being made to servers and reply quickly with their own version of that code which is very probably backdoored.

This attack cannot be performed if you use SSL! (of course only if they don't have your private keys but lets assume that for now)
Luckily Fox-IT (formerly Dutch cyber security company) wrote a Snort (Intrustion Detection System) module for detecting this attack.

Anyways, Always use SSL if you do anything at all with crypto/sensitive data! Actually, always use it but at the very LEAST really do it when you process the mentioned above!

so i guess ill use my code.org teacher for this:

"credit card information is encrypted with the public keys"

"lists and arrays are the same thing"

"javascript is a powerful, fast, programming language" (bhahahaha)

"javascript is [only] used in web browsers"

"java and javascript are *extremely similar* but not the same"

My first unintentional "hack" was in middle school, I had been programming for a couple years already and I was really bored.

My school had blocked facebook, twitter and so on because most students are lazy and think everything revolves around their "descrete" cleavage picture's likes. Any way, I thought most would be naive and desperate enough to fall into a "Facebook unblocked" app at the desktop, the program was fairly simple just a mimicking FB page done on C# ASP that saved user and passwords in an encrypted file.

I distributed it in around 5 computers and by the end of the month I had over 60 accounts, and what did I do? I used it to post a gay relationship between two of my friends on fb (one had a gf), it was dumb but boy did I laughed, after that I erased everything as it didn't seem so important.

Gotta say, I find it awesome that I can connect with some devRanters through encrypted channels.

It's awesome to talk to devRanters with the same mindset through channels that offer a very high level of security/privacy.

Thanks!

Insecure... My laptop disk is encrypted, but I'm using a fairly weak password. 🤔

Oh, you mean psychological.

Working at a startup in crisis time. Might lose my job if the company goes under.

I'm a Tech lead, Senior Backender, DB admin, Debugger, Solutions Architect, PR reviewer.

In practice, that means zero portfolio. Truth be told, I can sniff out issues with your code, but can't code features for shit. I really just don't have the patience to actually BUILD things.

I'm pretty much the town fool who angrily yells at managers for being dumb, rolls his eyes when he finds hacky code, then disappears into his cave to repair and refactor the mess other people made.

I totally suck at interviews, unless the interviewer really loves comparing Haskell's & Rust's type systems, or something equally useless.

I'm grumpy, hedonistic and brutally straight forward. Some coworkers call me "refreshing" and "direct but reasonable", others "barely tolerable" or even "fundamentally unlikable".

I'm not sure if they actually mean it, or are just messing with me, but by noon I'm either too deep into code, or too much under influence of cognac & LSD, wearing too little clothing, having interesting conversations WITH instead of AT the coffee machine, to still care about what other humans think.

There have been moments where I coded for 72 hours straight to fix a severe issue, and I would take a bullet to save this company from going under... But there have also been days where I called my boss a "A malicious tumor, slowly infecting all departments and draining the life out of the company with his cancerous ideas" — to his face.

I count myself lucky to still have a very well paying job, where many others are struggling to pay bills or have lost their income completely.

But I realize I'm really not that easy to work with... Over time, I've recruited a team of compatible psychopaths and misfits, from a Ukranian ex-military explosives expert & brilliant DB admin to a Nigerian crossfitting gay autist devops weeb, to a tiny alcoholic French machine learning fanatic, to the paranoid "how much keef is there in my beard" architecture lead who is convinced covid-19 is linked to the disappearance of MH370 and looks like he bathes in pig manure.

So... I would really hate to ever have to look for a new employer.

I would really hate to ever lose my protective human meat shield... I mean, my "team".

I feel like, despite having worked to get my Karma deep into the red by calling people all kinds of rude things, things are really quite sweet for me.

I'm fucking terrified that this peak could be temporary, that there's a giant ravine waiting for me, to remind me that life is a ruthless bitch and that all the good things were totally undeserved.

Ah well, might as well stay in character...

*taunts fate with a raised middlefinger*

What I'm posting here is my 'manifesto'/the things I stand for. You may like it, you may hate it, you may comment but this is what I stand for.

What are the basic principles of life? one of them is sharing, so why stop at software/computers?
I think we should share our software, make it better together and don't put restrictions onto it. Everyone should be able to contribute their part and we should make it better together. Of course, we have to make money but I think that there is a very good way in making money through OSS.

Next to that, since the Snowden releases from 2013, it has come clear that the NSA (and other intelligence agencies) will try everything to get into anyone's messages, devices, systems and so on. That's simply NOT okay.
Our devices should be OUR devices. No agency should be allowed to warrantless bypass our systems/messages security/encryptions for the sake of whatever 'national security' bullshit. Even a former NSA semi-director traveled to the UK to oppose mass surveillance/mass govt. hacking because he, himself, said that it doesn't work.

We should be able to communicate freely without spying. Without the feeling that we are being watched. Too badly, the intelligence agencies of today do not want us to do this and this is why mass surveillance/gag orders (companies having to reveal their users' information without being allowed to alert their users about this) are in place but I think that this is absolutely wrong. When we use end to end encrypted communications, we simply defend ourselves against this non-ethical form of spying.
I'm a heavy Signal (and since a few days also Riot.IM (matrix protocol) (Riot.IM with end to end crypto enabled)), Tutanota (encrypted email) and Linux user because I believe that only those measures (open source, reliable crypto) will protect against all the mass spying we face today.
The applications/services I strongly oppose are stuff like WhatsApp (yes, encryted messages but the metadata is readily available and it's closed source), skype, gmail, outlook and so on and on and on.

I think that we should OWN our OWN data, communications, browsing stuffs, operating systems, softwares and so on.

This was my rant.

This is to dfox and trogus. I think that a lot of devRanters are very happy with the support option! Although i hate Google pretty much i made a very unlikely exception for you because i would love to support the social network where i, next to being able to rant and be among fellow devs, met quite some very nice devs with whom i still am in touch with through slack and some encrypted channels. Thanks for this awesome place and I'm proud to be a supporter 😃

"We can try, but it'll be hard. They encrypted their IP."
Probably the most used line.

Tutanota (encrypted mail service) is releasing a new android app soon which won’t be using GCM anymore so that the app won’t be the reason a phone connects to anything google anymore and it’ll be on F-Droid soon!

Fuck yeah, Turanota, I fucking love you ❤️

Just wanted to say cheers to all those coders among you who make sure their login is encrypted, their passwords are hashed and salted, their codes are tested and their forms are code injection safe.

No client will understand what you did, so take my props for it! After all, its our responsibility to make sure software is secure. That's all :)

It were around 1997~1998, I was on middle school. It was a technical course, so we had programing languages classes, IT etc.

The IT guy of our computer lab had been replaced and the new one had blocked completely the access on the computers. We had to make everything on floppy disks, because he didn't trusted us to use the local hard disk. Our class asked him to remove some of the restrictions, but he just ignored us. Nobody liked that guy. Not us, not the teachers, not the trainees at the lab.

Someday a friend and me arrived a little bit early at the school. We gone to the lab and another friend that was a trainee on the lab (that is registered here, on DevRant) allowed us to come inside. We had already memorized all the commands. We crawled in the dark lab to the server. Put a ms dos 5.3 boot disk with a program to open ntfs partitions and without turn on the computer monitor, we booted the server.

At that time, Windows stored all passwords in an encrypted file. We knew the exact path and copied the file into the floppy disk.

To avoid any problems with the floppy disk, we asked the director of the school to get out just to get a homework we theorically forgot at our friends house that was on the same block at school. We were not lying at all. He really lived there and he had the best computer of us.

The decrypt program stayed running for one week until it finds the password we did want: the root.

We came back to the lab at the class. Logged in with the root account. We just created another account with a generic name but the same privileges as root. First, we looked for any hidden backup at network and deleted. Second, we were lucky: all the computers of the school were on the same network. If you were the admin, you could connect anywhere. So we connected to a "finance" computer that was really the finances and we could get lists of all the students with debits, who had any discount etc. We copied it to us case we were discovered and had to use anything to bargain.

Now the fun part: we removed the privileges of all accounts that were higher than the trainee accounts. They had no access to hard disks anymore. They had just the students privileges now.

After that, we changed the root password. Neither we knew it. And last, but not least, we changed the students login, giving them trainee privileges.

We just deleted our account with root powers, logged in as student and pretended everything was normal.

End of class, we went home. Next day, the lab was closed. The entire school (that was school, mid school and college at the same place) was frozen. Classes were normal, but nothing more worked. Library, finances, labs, nothing. They had no access anymore.

We celebrated it as it were new years eve. One of our teachers came to us saying congratulations, as he knew it had been us. We answered with a "I don't know what are you talking about". He laughed and gone to his class.

We really have fun remembering this "adventure". :)

PS: the admin formatted all the servers to fix the mess. They had plenty of servers.

Removed my Facebook account about Month ago. Sister was pretty sad because I'm the one person she can tag in everything. Asked me why I deleted it and I told her it was because of privacy concerns. "Then why don't you make an end to end encrypted social network?". I'd actually consider this...

(Written March 13th at 2am.)

This morning (yesterday), my computer decided not to boot again: it halts on "cannot find firmware rtl-whatever" every time. (it has booted just fine several times since removing the firmware.) I've had quite the ordeal today trying to fix it, and every freaking step along the way has thrown errors and/or required workarounds and a lot of research.

Let's make a list of everything that went wrong!

1) Live CD: 2yo had been playing with it, and lost it. Not easy to find, and super smudgy.

2) Unencrypt volume: Dolphin reports errors when decrypting the volume. Research reveals the Live CD doesn't incude the cryptsetup packages. First attempts at installing them mysteriously fail.

3) Break for Lunch: automatic powersaving features turned off the displays, and also killed my session.

4) Live CD redux: 25min phonecall from work! yay, more things added to my six-month backlog.

5) Mount encrypted volume: Dolphin doesn't know how, and neither do I. Research ensues. Missing LVM2 package; lvmetad connection failure ad nauseam; had to look up commands to unlock, clone, open, and mount encrypted Luks volume, and how to perform these actions on Debian instead of Ubuntu/Kali. This group of steps took four hours.

6) Chroot into mounted volume group: No DNS! Research reveals how to share the host's resolv with the chroot.

7) `# apt install firmware-realtek`: /boot/initrd.img does not exist. Cannot update.

8) Find and mount /boot, then reinstall firmware: Apt cannot write to its log (minor), listed three install warnings, and initially refused to write to /boot/initrd.img-[...]

9) Reboot!: Volume group not found. Cannot process volume group. Dropping to a shell! oh no..

(Not listed: much research, many repeated attempts with various changes.)

At this point it's been 9 hours. I'm exhausted and frustrated and running out of ideas, so I ask @perfectasshole for help.
He walks me through some debugging steps (most of which i've already done), and we both get frustrated because everything looks correct but isn't working.

10) Thirteenth coming of the Live CD: `update-initramfs -u` within chroot throws warnings about /etc/crypttab and fsck, but everything looks fine with both. Still won't boot. Editing grub config manually to use the new volume group name likewise produces no boots. Nothing is making sense.

11) Rename volume group: doubles -'s for whatever reason; Rebooting gives the same dreaded "dropping to a shell" result.

A huge thank-you to @perfectasshole for spending three hours fighting with this issue with me! I finally fixed it about half an hour after he went to bed.

After renaming the volume group to what it was originally, one of the three recovery modes managed to actually boot and load the volume. From there I was able to run `update-initramfs -u` from the system proper (which completed without issue) and was able to boot normally thereafter.

I've run updates and rebooted twice now.
After twelve+ hours... yay, I have my Debian back!

oof.

I think I will ship a free open-source messenger with end-to-end encryption soon.

With zero maintenance cost, it’ll be awesome to watch it grow and become popular or remain unknown and become an everlasting portfolio project.

So I created Heroku account with free NodeJS dyno ($0/mo), set up UptimeRobot for it to not fall asleep ($0/mo), plugged in MongoDB (around 700mb for free) and Redis for api rate limiting (30 mb of ram for free, enough if I’m going to purge the whole database each three seconds, and there’ll be only api hit counters), set up GitHub auto deployment.

So, backend will be in nodejs, cryptico will manage private/public keys stuff, express will be responsible for api, I also decided to plug in Helmet and Sqreen, just to be sure.

Actual data will be stored in mongo, rate limit counters – in redis.

Frontend will probably be implemented in React, hosted for free at GitHub pages. I also can attach a custom domain there, let’s see if I can attach it to Freenom garbage.

So, here we go, starting up modern nosql-nodejs-react application completely for free.

If it blasts off, I’m moving to Clojure + Cassandra for backend.

And the last thing. It’ll be end-to-end encrypted. That means if it blasts off, it will probably attract evil russian government. They’ll want me to give him keys. It’ll be impossible, you know. But they doesn’t accept that answer. So if I accidentally stop posting there, please tell my girl that I love her and I’m probably dead or captured

At my old job, me and a colleague were tasked with designing a new backup system. It had integrations for database systems, remote file storage and other goodies.
Once we were done, we ran our tests, and sure enough. The files and folder from A were in fact present at B and properly encrypted. So we deployed it.
The next day, after the backup routine had run over night, I got to work and noone was able to log in. They were all puzzled.
I accessed a root account to find the issue. Apparantly, we had made a mistake!
All files on A were present at B... But they were no longer present at A.
We had issued 'move' instead of 'copy' on all the backups. So all of peoples files and even the shared drives have had everything moved to remote storage :D
We spent 4 hours getting everything back in place, starting with the files of the people who were in the office that day.
Boss took it pretty well at least, but not my proudest moment.

*Stay tuned for the story of how I accidentally leaked our Amazon Web Services API key on stack overflow*

/facepalm

Just now I was compiling a new kernel for my laptop because the last ones were from before my rootfs became LUKS-encrypted. Then I found that option about SELinux again.. NSA SELinux. A MAC system that linuxxx praised earlier. Should I tell him? 😜

It was like 9/11 at work this morning. Someone had clicked a link yesterday that recursively encrypted our entire file system. Thank god for backups.

Adylkuzz "saves" users from WannaCry

In fact, because Adylkuzz(malware that mine cryptocurrency) had infected many vulnerable machines long before WannaCry and shut down their SMB port, the malware might have accidentally saved many potential victims from having their data encrypted by WannaCry.

End to end encrypted (maybe decentralized?) social network including shit like voice/video/group calls.

Privacy site I'm working on right now.

Yeah that's it for now :)

TLDR; My 2TB HDD got wiped in one fell swoop by a 9-year old child.

You know... I've never been too great about keeping backups. Even to this day, I only keep one or two local backups and nothing on the "cloud".

So this was about 5 years ago. At the time, I was living together with my girlfriend - who would later become my wife. She had a son from a previous relationship, who at the time was 9 years old.

I had a small desk in the living room of our one-bedroom apartment, that I used for my computer, which has been a laptop for a long time now. One unfortunate thing about the layout of the apartment was that the wall plug near my desk was attached to a light switch.

I had a 2TB external hard drive - with its own power cable - plugged into my laptop. Then, things started to move in slow motion... The GF's son comes inside from playing, my GF asks him to turn off the light. He reaches over, and shuts off power to my laptop - and the external hard drive.

He must have hit that switch at JUST the right fucking time. The laptop ran on battery, no big deal. The hard drive, when I powered it back up - was wiped clean. I tried data recovery on it, but the HDD was encrypted, which makes things more complicated.

Needless to say, I was not happy. I never got that data back, but I did learn not to expose my hard drives to 9 year olds. Very dangerous little creatures.

You want to know the best part? He destroyed another hard drive of mine, a few years later. Should I tell that story?

YES FINALLY SOMEBODY REPLIED TO MY JOB OFFER ON UPWORK LET ME OPEN THE MESSAGE

A LINK TO A ZIP FILE WITH PASSWORD THAT LOOKS SO SKETCHY HMMMMMMMMMMM

LETS OPEN IT

WHATS THIS
- aboutus/
-- COMPANY PROFILE.docx
-- Paiza.docx
-- PROJECT WORK.docx
- requirement.lnk
- training/
-- discussion/
--- instruction/
---- democrat/
----- marketing.bat

A MARKETING.BAT FILE FOR A JOB OFFER??? HMMM THATS SO INTERESTING LET ME OPEN THIS MARKETING.BAT IN VSCODE

OH WOULD YOU LOOK AT THAT 10,000 LINES OF CODE OF ENCRYPTED CIPHER ENCODED MALWARE TROJAN MESSAGE TO FUCK UP MY C DRIVE.

WHY EVEN BOTHER. WHY DO YOU FUCKING WASTE MY FUCKING TIME YOU *********FUCKING*******++++ SCAMMERS I HOPE YOU GET CANCER AND YOUR WHOLE FAMILY DIES IN THE MOST HARMFUL PAINFUL SLOW DEATH I HOPE SOMEONE POURS ACID ON YOUR FUCKING FACE AND YOU END UP AT A MEXICAN CARTEL GORE VIDEO WEBSITE WHERE THEY CHOP YOUR FUCKING ARMS AND LEGS OFF AND PUT A PITBULL TO MAUL YOUR FUCKING TINY DICK OFF AS YOUR HEAD WATCHES IN AGONY AND YOUR ARMLESS AND LEGLESS BODY FEELS ALL PAIN WHILE YOU'RE DRUGGED WITH ADRENALINE TO STAY ALIVE AS MUCH AS POSSIBLE AND RIGHT WHEN YOU'RE ABOUT TO FUCKING DIE THEY CUT YOUR FUCKING HEAD OFFFF DECAPITATED LIKE A FUCKING USELESS TURD SHIT FAGGOT WASTE OF OXYGEN SCAMMING CANCER FUCK

WHY SCAM ENGINEERS ON UPWORK????? WHAT DO YOU GET FROM IT????

Does anyone know a way of to do a video chat through node js (socket.io) or have a link to any resource? NOT through webrtc.

I used to have a link on this but lost it 😥

Meaning to give an end to end encrypted web video chat a chance.

When you reboot your server and on boot it asks for the hdd encrypted password. I have no clue anymore. Oh how fucking happy I am that we have no users yet and are in closed alpha. Happy to learn this now so I'll never make this mistake again. 😨

Why does almost everyone act as if the world they live in is perfect, or is supposed to be perfect?

This is about approaching IT infrastructures, but goes way beyond IT, into daily lives.

Daniel Kahneman wrote about the "Econs" - a mythical creature that behaves according to rules and rational thoughts, that everybody is guided by, as opposed to Humans, who are irrational, intuitive and emotional.
My beef is with a wider perception, beyond economical analysis, profit, investment and so on.

Examples:
Organization A uses a 15 year old system that is crappy beyond description, but any recent attempt to replace it have failed. Josh thinks that this is a crappy organization, any problem lies within the replacement of that system, and all resources should be devoted to that. Josh lives in a perfect world - where shit can be replaced, where people don't have to live with crappy systems. Josh is stupid, unless he can replace that old system with something better. Don't be Josh. Adapt to the fucking reality, unless you have the power to change it.

Peter is a moron who downloads pirated software with cracks, at the office. He introduced a ransomware that encrypted the entire company NAS. Peter was fired obviously, but Sylvia, the systems administrator, got off easily because Peter the moron was the scapegoat. Sylvia truly believes that it's not her fault, that Peter happened to be a cosmic overgrown lobotomized amoeba. Sylvia is a fucking idiot, because she didn't do backups, restrict access, etc. Because she relied on all people being rational and smart, as people in her imaginary world would be.

Amit finished a project for his company, which is a nice modern website frontend. Tom, the manager says that the website doesn't work with Internet Explorer 8, and Amit is outraged that Tom would even ask this, quoting that IE8 is a dinosaur that should've been euthanized before even hatching. Amit doesn't give a shit about the fact that 20% of the revenue comes from customers that use IE8, what's more important to him is that in his perfect imaginary world everybody uses new hardware and software, and if someone doesn't - it's their fault and that's final. Amit is a fucking asshole. Don't be like Amit.

React to the REAL world, not what you WANT the world to be. Otherwise you're one of them.
The real world can be determined by looking at all the fuck ups and bad situations, admit that they happen, that they're real, that they will keep happening unless you do something that will make them impossible to happen or exist.

Acting as if these bad things don't exist, or that they won't exist because someone would or should change it, is retarded.

When your school doesn't give you the root password of your openSUSE laptop but an encrypted file with all the passwords of the school even the director's one just to stimulate you

Guess what's in it ?

Bind's top {number} dev tools to make your 2018 easier!

//note 0: feel free to add your own
//note 1: no ides, only stuff thats useful for everyone

0) vscode, it got significantly better after the latest updates and is very versatile
1) gitkraken, now i use sourcetree because of the jira integration but kraken is available for linux too so
2) scaleway, they provide really cheap servers for whatever you want, easy to install images (docker too)
3) protonmail, an encrypted mail service that works a lot better than gmail (tutanota is a close 2nd but has a weeb name)
4) telegram, if you can, tell your team to ditch slack, because telegram is a lot more lightweight and even if you dont, just the channels make it worth giving it a shot
5) steemit, a blockchain based website where the users write the articles, you can find some good reads there (and photography if you like that stuff)
6) a dildo because it wouldnt be a bindview content without out of context penile objects

Ten Immutable Laws Of Security

Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
Law #4: If you allow a bad guy to run active content in your website, it's not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its decryption key.
Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
Law #9: Absolute anonymity isn't practically achievable, online or offline.
Law #10: Technology is not a panacea.

Yeah yeah, good ol' DropBox.
Which fucking piss-wanker has made the decision to NOT SUPPORT encrypted ext4 starting in november???
You think I'm going to reformat my SSD just for you, you little stinky cunt, huh?
CrapBox has hearned itself a place in /dev/null
Go fuck yourself, you hobo-raped STD host!

How to comply with GDPR on any website and web application:
- download the law and store it in some folder
- if you have money, pay a lawyer and a security consultant to write something about GDPR. Download reports and papers and store it in some folder
- Don't touch your code, nor your database nor your infrastructure. If you don't have anything encrypted, leave it like that.
- Write somewhere a popup that says: "we are fully compliant with GDPR". If you have still money left you can also buy such a popup.
- DONE.

My windows pro licence got automatically downgraded to home when I turned my laptop on today. Turns out it's a known bug since last month. Just when you think they can't get any worse. Bitlocker doesn't work anymore(only supports pro) and here I'm sitting in front my encrypted drives helplessly.

Can someone please explain to me WHY THE FUCK non devs feel like they know shit. I DON'T GIVE A FUCK ABOUT HOW YOU FOUND SOME UNTRUE SHIT ON GIZMODO. I'VE KNOW SO MUCH ABOUT THIS SHIT, AND YOU LOOKED UP THE FIRST EXAMPLE YOU COULD FIND THE SUPPORTS YOUR CASE. The most recent time this happened was OVER THE LAST FEW DAYS when this DUMBASS that my friends and I BULLY but HE STILL HANGS AROUND. (By bully, yes sometimes we are mean to him, but we're not out to get him. He comes to us and we don't wanna be with him). So after the SEVENTH groupchat (on two apps) he created that night, HE WANTED TO SWITCH BACK TO ANOTHER APP I SPENT A WEEK TRYING TO GET THEM TO SWITCH FROM PREVIOUSLY (It was whatsapp, i got them to switch to telegram). THEN HE TRIED to ARGUE with me about how TELEGRAM wasnt secure. HE SEARCHED "is telegram secure" on Google and chose the FIRST ARTICE from the previously mentioned, GIZMODO which says that TELEGRAM chats ARENT ENCRYPTED by DEFAULT. HOW THE FUCK DO DUMBASSES GET THIS KIND OF PUBLICITY. There's a difference between ENCRYPTION and END TO END DUMBASS. Then he told me whatsapp is more secure than telegram. NO ITS FUCKING NOT. In telegram, your encryption keys CHANGE every chat, or every 100 messages. To my best research, whatsapp only has ONE key per USER. I could go on forever about how chat backups in whatsapp are UNENCRYPTED or how FACEBOOK stores your data, but blocked you works to.

Security rant ahead, you have been warned!
As part of a scholarship application, our government requires a scan/copy of the applicant's credit card. Since the IBAN is now on the back, you have to send both sides.
The back is also where the CVC (security code) is. Any bank will strictly tell you NOT TO EVER SHARE IT - not even with them!
To make things even more fun, you now have the option to send this over email which is, of course, NOT ENCRYPTED!!!!!
I'm basically sending all the info needed to steal all my money over an unencrypted connection to an underpaid secretary, who will print it out and leave it on their desk for anyone with decent binoculars to see.
These people are fucking insane!!!!

The company I work for is requiring customers to submit credit card info in an online form which then gets stored into our "secure database". Which employees then pull and charge the card later on. They're also telling customers that the form is "encrypted". This is all because they're too fucking lazy and not patient enough to wait for someone to integrate a payment gateway. This is a lawsuit waiting to happen.

Encrypted social network based on blockchains

!dev - cybersecurity related.

This is a semi hypothetical situation. I walked into this ad today and I know I'd have a conversation like this about this ad but I didn't this time, I had convo's like this, though.

*le me walking through the city centre with a friend*
*advertisement about a hearing aid which can be updated through remote connection (satellite according to the ad) pops up on screen*

Friend: Ohh that looks usefu.....
Me: Oh damn, what protocol would that use?
Does it use an encrypted connection?
How'd the receiving end parse the incoming data?
What kinda authentication might the receiving end use?
Friend: wha..........
Me: What system would the hearing aid have?
Would it be easy to gain RCE (Remote Code Execution) to that system through the satellite connection and is this managed centrally?
Could you do mitm's maybe?
What data encoding would the transmissions/applications use?
Friend: nevermind.... ._________.

Cybersecurity mindset much...!

Commas.
I fix one display, and another breaks.

Now I’m getting “$$1002.99” and can’t figure out why. Where is this popup coming from? Where does the encrypted URL point to? What does this ajax call do? Where does the amount go? When does it change? Why is it a string now? Where does the total get defined? How far down the rabbit hole do I need to go?

Short short version:

I found something to try fixing. I made some changes, forced a crash to inspect, and… Joy! My log stopped updating. How long have I been debugging on stale data?

Skipping a long debugging session…

I discover a suspect instance var in a suspect method, and… i have no freaking clue where it’s being defined. It’s used in the class, but never defined in it. Oh, and the name is pretty generic, so searching for it is even more fun.

Just.
Qxfrfjkalstf.

WHO WRITES THIS CRAP?!
AND WHY DO PEOPLE CALL THEM “LEGENDS”? Like, really. That’s the word they use. “Legends.” I still can’t believe it.

Could you imagine a guy who takes A4 paper with encrypted text using modern algorithms and decrypts it in 20 minutes which pen and his mind?

My dream project. Although we have tools like facebook, twitter, whatsapp, you name it, and although whatsapp is 'officially' (between quotes because I won't believe that until proven by source code or something) end-to-end encrypted, I would like to create an open source platform which basically everyone can use which features all usual tools like email, calendar, voice/video calls etc while being entirely decentralized/end-to-end encrypted.

I'd like to create this because of my own daily struggle of refusing to use closed/non-encrypted tools for communication while a lot of people don't care about privacy and don't want to use tools like Signal, Tox and so on.

It's me not about making money, it's about providing a safe place where people can do their things without the possibility of being spied on without reason.

A popular social media website in my country (which my friends and I were working on it's new design) was hacked and everyone on the dev side of the website was invited to the ministry of communications, believing we were going to discuss security of user data. The other guys (working on the back-end) were friends with the CEO (if you want to call it that) and naturally came to the meeting. They started to talk about the girls of their city. Meanwhile about 1.2 million user data encrypted with MD5 was out there.

Client from a big company requested that all sensible data should be encrypted, passwords included.
We agreed that was OK, and that we were already saving the hashes for the passwords.
The reply was "Hashes should be encrypted too"

I’m trying to add digit separators to a few amount fields. There’s actually three tickets to do this in various places, and I’m working on the last of them.

I had a nightmare debugging session earlier where literally everything would 404 unless I navigated through the site in a very roundabout way. I never did figure out the cause, but I found a viable workaround. Basically: the house doesn’t exist if you use the front door, but it’s fine if you go through the garden gate, around the back, and crawl in through the side window. After hours of debugging I eventually discovered that if I unlocked the front door with a different key, everything was fine… but nobody else has this problem?

Whatever.
Onto the problem at hand!

I’m trying to add digit separators to some values. I found a way to navigate to the page in question (more difficult than it sounds), and … I don’t know what view is rendering the page. Or what controller. Or how it generates its text.

The URL is encrypted, so I get no clues there. (Which was lead dev’s solution to having scrapeable IDs instead of just, you know, fixing them). The encryption also happens in middleware, so it’s a nightmare to work through. And it’s by the lead dev, so the code is fucking atrocious.

The view… could be one of many, and I don’t even know where they are. Or what layout. Or what partials go into building it.

All of the text on the page are “resources” — think named translations that support plus nested macros. I don’t know their names, and the bits of text I can search for are used fucking everywhere. “Confirmation number” (the most unique of them) turns up 79 matches. “Fee” showed up in 8310 places before my editor gave up looking. Really.

The table displaying the data, which is what I actually care about, isn’t built in JS or markup, but is likely a resource that goes through heavy processing. It gets generated in a controller somewhere (I don’t know the resource name so I can’t find it), and passed through several layers of “dynamic form” abstraction, eventually turned into markup, and rendered as a partial template. At least, that’s how it worked in the previous ticket. I found a resource that looks right, and there’s only the one. I found the nested macros it uses for the amount and total, and added the separators there… only to find that it doesn’t work.

Fucking dead end.

And i have absolutely nothing else to go on.

Page title? “Show”
URL? /~LiolV8N8KrIgaozEgLv93s…
Text? All from macros with unknown names. Can’t really search for it without considerable effort.
Table? Doesn’t work.
Text in the table? doesn’t turn up anything new.
Legal agreement? There are multiple, used in many places, generates them dynamically via (of course) resources, and even looking through the method usages, doesn’t narrow it down very much.

Just.
What the fuck?
Why does this need to be so fucking complicated?

And what genius decided “$100000.00” doesn’t need separators? Right, the lot of them because separators aren’t used ANYWHERE but in code I authored. Like, really? This is fintech. You’d think they would be ubiquitous.

And the sheer amount of abstraction?
Stupid stupid stupid stupid stupid.

The Hungarian public transport company launched an online shop (created by T-Systems), which was clearly rushed. Within the first days people found out that you could modify the headers and buy tickets for whatever price you set, and you could login as anyone else without knowing their password. And they sent out password reminders in plain text in non-encrypted emails. People reported these to the company which claims to have fixed the problems.

Instead of being ashamed of themselves now they're suing those who pointed out the flaws. Fucking dicks, if anyone they should be sued for treating confidential user data (such as national ID numbers) like idiots.

fuck code.org.

here are a few things that my teacher said last class.

"public keys are used because they are computationally hard to crack"

"when you connect to a website, your credit card number is encrypted with the public key"

"digital certificates contain all the keys"

"imagine you have a clock with x numbers on it. now, wrap a rope with the length of y around the clock until you run out of rope. where the rope runs out is x mod y"

bonus:

"crack the code" is a legitimate vocabulary words

we had to learn modulus in an extremely weird way before she told the class that is was just the remainder, but more importantly, we werent even told why we were learning mod. the only explanation is that "its used in cryptography"

i honestly doubt she knows what aes is.

to sum it up:

she thinks everything we send to a server is encrypted via the public key.

she thinks *every* public key is inherently hard to crack.

she doesnt know https uses symmetric encryption.

i think that she doesnt know that the authenticity of certificates must be checked.

Once upon a time, in a proprietary e-commerce framework used by few hundred sites...

I just took over a project where the previous developer stored password in two separate fields.

password & password_visible

First was encrypted and used for authentication. Second was plaintext password and was shown in the admin panel.

Hope to meet this god someday, I'd sure ask why the hell did he use encrypted password for authentication anyway. 😂

I think most people are annoyed by the new design of chrome, for all the wrong reasons - I just noticed the TLS indicator lock is now gray when encrypted, giving you the idea of a website being not fully secure imho

So... did I mention I sometimes hate banks?

But I'll start at the beginning.

In the beginning, the big bang created the universe and evolution created humans, penguins, polar bea... oh well, fuck it, a couple million years fast forward...

Your trusted, local flightless bird walks into a bank to open an account. This, on its own, was a mistake, but opening an online bank account as a minor (which I was before I turned 18, because that was how things worked) was not that easy at the time.

So, yours truly of course signs a contract, binding me to follow the BSI Grundschutz (A basic security standard in Germany, it's not a law, but part of some contracts. It contains basic security advice like "don't run unknown software, install antivirus/firewall, use strong passwords", so it's just a basic prototype for a security policy).

The copy provided with my contract states a minimum password length of 8 (somewhat reasonable if you don't limit yourself to alphanumeric, include the entire UTF 8 standard and so on).

The bank's online banking password length is limited to 5 characters. So... fuck the contract, huh?

Calling support, they claimed that it is a "technical neccessity" (I never state my job when calling a support line. The more skilled people on the other hand notice it sooner or later, the others - why bother telling them) and that it is "stored encrypted". Why they use a nonstandard way of storing and encrypting it and making it that easy to brute-force it... no idea.

However, after three login attempts, the account is blocked, so a brute force attack turns into a DOS attack.

And since the only way to unblock it is to physically appear in a branch, you just would need to hit a couple thousand accounts in a neighbourhood (not a lot if you use bots and know a thing or two about the syntax of IBAN numbers) and fill up all the branches with lots of potential hostages for your planned heist or terrorist attack. Quite useful.

So, after getting nowhere with the support - After suggesting to change my username to something cryptic and insisting that their homegrown, 2FA would prevent attacks. Unless someone would login (which worked without 2FA because the 2FA only is used when moving money), report the card missing, request a new one to a different address and log in with that. Which, you know, is quite likely to happen and be blamed on the customer.

So... I went to cancel my account there - seeing as I could not fulfill my contract as a customer. I've signed to use a minimum password length of 8. I can only use a password length of 5.

Contract void. Sometimes, I love dealing with idiots.

And these people are in charge of billions of money, stock and assets. I think I'll move to... idk, Antarctica?

Not sure if you'd call this an insecurity but regardless; frontend.

Much of the stuff I develop is meant to be user/privacy friendly.
Like, at the moment I'm developing an end-to-end encrypted notes web application. The backend is a fucking breeze, the frontend is hell for me. I'm managing mostly but for example, I need to implement a specific thing/feature right now and while the backend would take me about 15-30 minutes, I've been only just thinking about how I'm going to do this frontend wise for the past few fucking hours.

My JavaScript skills are quite alright, html is manageable, css only the basics.

And before people tell me to just learn it; I. Fucking. Hate. Frontend. Development. My motivation for this is below zero.

But, most of the shit I write depends on frontend regardless!

Public Service Announcement from the files of "Should have thought about that first":

Print your BitLocker recovery key before installing Hyper-V Services on a machine with encrypted drives.

tl;dr:
The Debian 10 live disc and installer say: Heavens me, just look at the time! I’m late for my <segmentation fault

—————

tl:
The Debian 10 live cd and its new “calamares” installer are both complete crap. I’ve never had any issues with installing Debian prior to this, save with getting WiFi to work (as expected). But this version? Ugh. Here are the things I’ve run into:

Unknown root password; easy enough to get around as there is no user password; still annoying after the 10th time.

Also, the login screen doesn’t work off-disc because it won’t accept a blank password, so don’t idle or you’ll get locked out.

The lock screen is overzealous and hard-locks the computer after awhile; not even the magic kernel keys work!

The live disc doesn’t have many standard utilities, or a graphical partition editor. Thankfully I’m comfortable with fdisk.

The graphical installer (calamares) randomly segfaults, even from innocuous things like clicking [change partition] when you don’t have a partition selected. Derp.

It also randomly segfaults while writing partitions to disk — usually on the second partition.

It strangely seems less likely to segfault if the partitions are already there, even if it needs to “reformat” (recreate) them.

It also defaults to using MBR instead of GPT for the partition table, despite the tooltip telling you that MBR is deprecated and limited, and that GPT is recommended for new systems. You cannot change this without doing the partitions manually.

If you do the partitions manually and it can’t figure out where to install things, it just crashes. This is great because you can’t tell it where to install things, and specifying mount points like /boot, /, and /home don’t seem to be enough.

It also tries installing 32bit grub instead of 64bit, causing the grub installer to fail.

If you tell it to install grub on /boot, it complains when that partition isn’t encrypted — fair — but if you tell it to encrypt /boot like it wants you to, it then tries installing grub on the encrypted partition it just created, apparently without decrypting it, so that obviously fails — specific error: cannot read file system.

On the rare chance that everything else goes correctly, the install process can still segfault.

The log does include entries for errors, but doesn’t include an error message. Literally: “ERROR: Installation failed:” and the log ends. Helpful!

If the installer doesn’t segfault and the install process manages to complete, the resulting install might not even boot, even when installed without any drive encryption. Why? My guess is it never bothered to install Grub, or put it in the wrong place, or didn’t mark it as bootable, or who knows what.

Even when using the live disc that includes non-free firmware (including Ath9k) it still cannot detect my wlan card (that uses Ath9k).

I’ve attempted to install thirty plus times now, and only managed to get a working install once — where I neglected to include the Ath9k firmware.

I’m now trying the cli-only installer option instead of the live session; it seems to behave at least. I’m just terrified that the resulting install will be just as unstable as the live session.

All of this to copy the contents of my encrypted disks over so I can use them on a different system. =/

I haven’t decided which I’m going with next, but likely Arch, Void, or Gentoo. I’d go with Qubes if I had more time to experiment.

But in all seriousness, the Debian devs need some serious help. I would be embarrassed if I released this quality of hot garbage.

(This same system ran both Debian 8 and 9 flawlessly for years)

I was wondering if anybody gets to sniff my wifi and finally finds my pass, so he is able to listen to my encrypted traffic and fully decrypt it (websites without https)!
That is far worse than just using my bandwidth!!
What do you think?
What else the attacker can get?

ssh your.server.ip, welcome message:

#Ooops! your files have been encrypted.
#Don't waste your time trying to decrypt them.
#Nobody can.

#We would gladly offer you a way of recovering all
#your files safely, but sadly we lost the decryption
#password.

#Hackers too are not perfect, have a nice day.
#PS. you can still send money to support us if you want at this
#web page: fuckyou.onion.
#Your personal key: m0r0nm0t3fukk3r

(I'll code this one day and install it on somebody machine, it's one of my top dreams)

Fucking shit, this university's website is so damn slow! Basically Every Semester, every student need to enroll to certain classes in University Website.

But the Infrastructure is not enough to handle such a big amount of students, we have approx. 7000 students enrolling at the same fucking time.

And here i am can't enroll to any class at all this semester. Fuck such a waste of time. This always been a thing since they digitalize enrolling system.

I don't want this to happen again. The student always be a victim since they cannot handle the request. Now, as a dev, i want to propose something better to optimize the server, i have some connection to pass some bureaucracy. I am going to do some brainstorming and I will need some solution.

Here some data i gather when i am mad from my univ infrastructure division :
1. The Server is a simple Local Server Forwarded to the Internet.
2. The Server use Windows Server 2007.
4. Web Server Using Microsoft IIS
3. The Website built using ASP.NET
4. The connection is not SSL encrypted (yes its fucking use the http)
5. Hardware Spec (not confirmed officialy, i got this information from my professor) :
- Core i5 4460
- 4 GB Ram
- 1 Gbit NIC

I will summon some expert here and i hope want to help me(us all) out.

Warning: long rant

I'm sick and tired of feeling like I'm the only person who cares about their privacy

I try, as much as I can, to avoid surveillance. I use firefox, protonmail, duckduckgo, e2e encrypted chat platforms, avoid social media like the plague, and do everything I can to block facebook and google trackers on websites I visit

And it's exhausting

Each search I make means I waste another 30 seconds because duckduckgo doesn't pull the answer directly from webpages like google does

I get weird looks when I give people a @protonmail email address, and I have to explain what it is to them every fucking time

People ask if I have social media, and I either give them nothing or my Github account

And for what? Nobody else cares, no matter how much I explain how toxic google and facebook are to society.

They just say 'I have nothing to hide' as they scroll Instagram, letting Zuckerberg build an intimately detailed profile on them.

They just say 'so what' as they google memes from their chrome browser, allowing google to share that information with god-knows-who

If everyone else has given up their privacy for convenience, why am I still fighting a losing battle?

It feels like I'm fighting a war against big tech by myself, and I'm tired and about to lay down my arms

IT security calls to tell me my new password, because it is poor practice to send it over encrypted message.

New password = password

I'm glad we are taking security so seriously!

It must really suck to be a malware dev... "Oh look, the recent changes i made to my cryptomalware made it work! Sadly project file are encrypted too. Lets start over."

Am I the only one who's getting more and more aggrevated about how the large youtube channels misinform and make out VPN providers (I am looking at you, Nord VPN, mostly) as the messiahs of the internet? How they protect our data that would otherwise be in incredible "danger" otherwise?

I understand they need clients, and I know most of the YT channels probably do not know better, but... This is misinformation at best, and downright false advertising at the worst...

"But HTTP-only websites still exist!" - yes, but unlike the era before Lets Encrypt, they are a minority. Most of the important webpages are encrypted.

"Someone could MITM their connection and present a fake certificate!" - And have a huge, red warning about the connection being dangerous. If at that point, the user ignores it, I say its their fault.

Seriously... I don't know if Nord gives their partners a script or not... But... I am getting super sick of them. And is the main reason why I made my own VPN at home...

I think I finally found a reason to have a phone with 8GB of RAM.
So that when TWRP craps out on data decryption and decides not even to ask for a password, at least I can push a whole fucking ROM into RAM to unfuck the phone. Because why not?! Why on Earth would software work properly when you can just throw more hardware at it?

Long live FBE, TWRP what craps out on it, and you remember those things.. SD cards for data storage? I could've used an unencrypted SD card so fucking badly right now, you know... Long live soldered in storage that's encrypted, "for security". Except for when the person who owns said data actually wants to use the bloody data.

FUCK!

Clients r wankers. He wants to be able to send login details incl passwords in email to his clients when he adds them in the cms. The passwords are encrypted and generated on creation of a new user. Ive told him that sending credentials in email is shit and not secure. The stubborn bastard wont budge, so instead i've put explicit instructions to reset password once logged in with the credentials they send. Any other suggestions?

Storing DB credentials in a repo that were encrypted using functions... that are in the same repo (both encrypt and decrypt!)...

So after 6 months of asking for production API token we've finally received it. It got physically delivered by a courier, passed as a text file on a CD. We didn't have a CD drive. Now we do. Because security. Only it turned out to be encrypted with our old public key so they had to redo the whole process. With our current public key. That they couldn't just download, because security, and demanded it to be passed in the fucking same way first. Luckily our hardware guy anticipated this and the CD drives he got can burn as well. So another two weeks passed and finally we got a visit from the courier again. But wait! The file was signed by two people and the signatures weren't trusted, both fingerprints I had to verify by phone, because security, and one of them was on vacation... until today when they finally called back and I could overwrite that fucking token and push to staging environment before the final push to prod.

Only for some reason I couldn't commit. Because the production token was exactly the same as the fucking test token so there was *nothing to commit!*

BECAUSE FUCKING SECURITY!

Once we got an urgent requirement to add double hashing the password in a web application. It had to go to the production ASAP. The developer which was working on it, added 2 alerts in Javascript to display entered password and encrypted password. Finally change was ready to deploy but in hurry she forgot to remove the alerts. In rush and excitement, that change was shipped to the production. The alert says 'your password is 123', 'your password is xyz'.

After some time got phone calls from users and manager. Manager said, 'how the hell our application got HACKED? If anything happens to..........'. To cut it short, he was furious. We knew exact reason and solution. Didn't take couple of minutes to resolve this issue.

But it was funny mistake and that released that days pressure off.

So a few weeks ago I wiped my MacBook Pro to regain some space and speed, it wasn't really that slow I just had the disk partitioned into two installments of MacOS. When I erased the disk I thought the secure thing to do would be to set the format to journaled, encrypted rather than just journaled. Everything was working fine, there seemed to be this weird step of login when I restarted but whatever, except iCloud Drive. On my iMac it works fine but for whatever reason my MacBook Pro doesn't want to download custom folders (ones that aren't created by an app and don't have an app icon on folder icon) from my account despite them being clearly available in iCloud.com. So after this much time of messing with it I'm wiping my MacBook Pro again and formatting it as journaled (not encrypted). Wish me luck...

FUCK!
After submitting a registration form I noticed the site is served over plain HTTP. Their marketing site is served encrypted, but login and register are not! What the fuck!!!

Fuck everyone who does this stupid fucking shit with disregard to basic security features! Their goddamn bullshit privacy policy is bragging about how it's top priority to protect their customers' information and shit like that. Get the fuck out, cunts!!

I contacted them so I might have a continuation to this rant if I'm not satisfied with their answers.

Goddamn it!

Computer engineering : Insanity!!!

Today a friend of mine was assigned to make a Client-Server Encryption using Sockets. The guy did a great job applying BlowFish algorithm, but the teacher was disappointed because she couldnt map letters to the encrypted text and she declared the program to be wrong!!!

Anything I (am able to) build myself.
Also, things that are reasonably standardized. So you probably won't see me using a commercial NAS (needing a web browser to navigate and up-/download my files, say what?) nor would I use something like Mega, despite being encrypted. I don't like lock-in into certain clients to speak some proprietary "secure protocol". Same reason why I don't use ProtonMail or that other one.. Tutanota. As a service, use the standards that already exist, implement those well and then come offer it to me.

But yeah. Self-hosted DNS, email (modified iRedMail), Samba file server, a blog where I have unlimited editing capabilities (God I miss that feature here on devRant), ... Don't trust the machines nor the services you don't truly own, or at least make an informed decision about them. That is not to say that any compute task should be kept local such as search engines or AI or whatever that's best suited for centralized use.. but ideally, I do most of my computing locally, in a standardized way, and in a way that I completely control. Most commercial cloud services unfortunately do not offer that.

Edit: Except mail servers. Fuck mail servers. Nastiest things I've ever built, to the point where I'd argue that it was wrong to ever make email in the first place. Such a broken clusterfuck of protocols, add-ons (SPF, DKIM, DMARC etc), reputation to maintain... Fuck mail servers. Bloody soulsuckers those are. If you don't do system administration for a living, by all means do use the likes of ProtonMail and Tutanota, their security features are nonstandard but at least they (claim to) actually respect your privacy.

My friend: I built a 3D printer and coded it to self calibrate at startup and connect to my encrypted remote server through VPN to securely retrieve Cad files I constructed and start itself printing when everything is ready or alert if theres an issue

Me: aren't you less than a year older than me?

This was when we were underclassmen in college a few years ago 😂 turns out the dudes just a savant

After several long nights of learning to resize encrypted lvm partitions, fixing grub, finding screws, and waiting....

I finally managed to move my system files from the old drive to the new SSD.

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH

Fuck graphical installers and their bullshit, installed a perfectly working luks encrypted arch install on my usb stick and got most things setup too already.

Next I need to makepkgchroot yay into it - for now I've had to use yaourt, also can't boot off of it, because I didn't yet figure out how to do the grub uefi shit inside of it - which isn't really necesssary as I plan to use it just as a chroot slave anyway, but useful for when I would have to rescue my laptop or something.

Boss activates encryption on dashboard
we installed the software
2 machines get locked out coz drive got encrypted with bitlocker
No one received the 48 bit key from bitlocker
I loose all my work coz the only way to use my laptop was to format the drive
Me as the technical guy and knowing how encryption works i just formatted the drive

Boss blames me for the cluster fuck

A puzzle, just for fun.

Two friends, (a)lice and (b)ob are communicating through a channel encrypted with random numbers XOR'd together, like so:

keyA = randint(1024, 1024**2)
keyB = randint(1024, 1024**2)

msg = randint(1024, 1024**2)

You, an interloper, have watched all these communications, siphoning the packets as they went.

When alice sends a message to bob's mailbox, she does it like so:

mailBoxB = keyA^msg

Bob's mailbox receives the mail automatically, and applies his own key, sending it back to alice's mailbox:

mailBoxA = keyB^mailBoxB

Next, Alice's mailbox notices the message, and automatically removes her key and sends it back to bob's mailbox. All of this, the first message, the second, and the third, happens in milliseconds, the back and forth.

mailBoxB2 = mailBoxA^keyA

Finally, bob's mailbox removes his key, and deposits the now unencrypted message in his box, for him to read in the morning:

mailBoxBFinal = mailBoxB2^keyB

As as a spy, you know the first packet sent to bob, had a value of 589505.

The packet bob sent back to alice, after applying his key, has a value of 326166

The message sent *back* to bob after alice removed *her* key, had a value of:
576941

What are the values of keyA, keyB, and what is the value of the msg?

I fucking hate the Internet

day before Yesterday, I was searching for a software on internet(which is not free) I found a site (unofficial) giving me both free full & trial version. so I thought, why not get the full version. I downloaded it, installed it. awesome.

everything was going great until I found out that all of my files in a folder were encrypted by some WankDecrypt. I was lucky the files in that folder were useless. but next day some mysterious links started to pop up into my browser. and today some fucking wank decentralized shit started eating up my ram. FML

Somebody fucking stuck his shit with cracked version of software. so beware devs.

!(!(!(!(!(!(!(!rant)))))))
My new HTC smartphone hates me.
First it started to shut down all of the sudden yesterday night, when I was solving quadratic equations on my laptop.
I thought that it might be due to low battery. So I have restarted it. After putting itself into a bootloop for 4 start sequences, it was able to fully start to the page where it told me to enter the security pin to decrypt my files. I also had 30 attempts left. Like a ransomware.

I was like "tf I didn't set anything up".
So I decided to use my first attempt as I had 30 attempts left.
I entered the pin (I can swear that it's correct) and it told me that it has to wipe the /data partition.

I did that. I pressed that button. After waiting for 30 minutes I gave up and rebooted into the bootloader.
Bootloader -> Download Mode -> wipe /data (stock rom + stock recovery btw.)

Some error with "e: mount /cache failed[...]e: mount /data failed"
So, I tried using the adb sideload - no success.
Fastbooted into RUU Mode - HTC keeps rebooting itself into the RUU Mode - no success

Tried to flash the firmware and twrp recovery from Download mode - no success
Then I tried to flash all these things from the sd card - no success

Searched for revolutionary (I know this from my old HTC sensation device).
It wasn't big of any help.

Then someone on xda recommended htcDev (htc's <b>developer-friendly</b> lol site)
I followed every step. Everything seemed to be okay.
I got to the last step.
I needed to get my encrypted token by entering "fastboot oem get_identifier_token" to be able to submit it to HTC, and after they would send me an e-Mail with an .bin file that would let me unlock the bootloader to be able to flash my way through all this headache giving fucking piece of dog shit!

But since I can't back to the phone settings to select the bootloader activation box that would let me get my token... but nah.

FML

------------
Sent by using the devRant web app (:\)

In my ongoing quest to un-Google my life, I turned off the Whatsapp chat back up, which uses Google Drive. There's a message in that setting which says, "Media and messages you back up are not protected by Whatsapp end-to-end encryption while in Google drive".
Damn.
All my Whatsapp chats for years have been on Google servers in plaintext.
I assumed it uploaded one massive encrypted archive.

Watched an action hack movie
Then designed a scenario to sniff around a bank and get the encrypted key and finally extract the key and omg!
I've broke into the bank !!!
But seriously, is it worth trying?
I'm not going to do any thing stupid like even taking a dollar , but is it just the way I thought it is?
Will anything unexpected happen?

Some kid keeps asking me how to session hijack. I keep telling him there's no point if:
A. You're not on the same network as him / her (I'm sure there are exceptions to this but normally you'd have to be on the same network)
B. The connection is encrypted
He doesn't understand either of those things. Not to mention it's illegal unless you're given consent.

I want to switch to an encrypted email service. My question, what if the service provider suddenly decides to close down the email service.

I feel like it's too risky to move all my emails to them.

Whelp. I started making a very simple website with a single-page design, which I intended to use for managing my own personal knowledge on a particular subject matter, with some basic categorization features and a simple rich text editor for entering data. Partly as an exercise in web development, and partly due to not being happy with existing options out there. All was going well...

...and then feature creep happened. Now I have implemented support for multiple users with different access levels; user profiles; encrypted login system (and encrypted cookies that contain no sensitive data lol) and session handling according to (perceived) best practices; secure password recovery; user-management interface for admins; public, private and group-based sections with multiple categories and posts in each category that can be sorted by sort order value or drag and drop; custom user-created groups where they can give other users access to their sections; notifications; context menus for everything; post & user flagging system, moderation queue and support system; post revisions with comparison between different revisions; support for mobile devices and touch/swipe gestures to open/close menus or navigate between posts; easily extendible css themes with two different dark themes and one ugly as heck light theme; lazy loading of images in posts that won't load until you actually open them; auto-saving of posts in case of browser crash or accidental navigation away from page; plus various other small stuff like syntax highlighting for code, internal post linking, favouriting of posts, free-text filter, no-javascript mode, invitation system, secure (yeah right) image uploading, post-locking...

On my TODO-list: Comment and/or upvote system, spoiler tag, GDPR compliance (if I ever launch it haha), data-limits, a simple user action log for admins/moderators, overall improved security measures, refactor various controllers, clean up the code...

It STILL uses a single-page design, and the amount of feature requests (and bugs) added to my Trello board increases exponentially with every passing week. No other living person has seen the website yet, and at the pace I'm going, humanity will have gone through at least one major extinction event before I consider it "done" enough to show anyone.

help

There seems to be a lot of people protesting and coming together in support of net neutrality.

The rant here, where the fuck were all of you during the election? That was the time to come together and do something, now your efforts are futile.

What's worse, I'll wager net neutrality gets overturned and next election the same batch of assholes get voted in.

What can you actually do to solve the problem? Peer to peer internet similar to tor but fast enough to support considerable traffic. Platform needs to be like tor with encrypted decentralized DNS.

Start an ISP. This would also help.

Get cracking, smart people.

Brilliant Stakeholder: of course communication with our backend will be encrypted with an algorithm I'll confidentially share with you once the contract is signed
Senior Developer: npm install md5

Just found out that a big hosting provider saves a user's SQL and FTP password in a plain text file just at the parent folder of the normally accessible ftproot.
Using some linux commands you can
cat ../mysql_pw
cat ../ftp_password.txt
IT'S NOT EVEN ENCRYPTED OR HASHED
(This is tested on a minecraft server, would also work on other services)

I've finally found a goldmine of accurate job listings that don't include Windows shit-administration... So I'm thinking of sending out applications to all of them. Problem is, as you might recall from my previous rants, I had a flash drive with my GPG keypair on it stolen from me. I still haven't fully replaced the key (I made another one and published it but I'm not using it yet), and because I'm fairly confident that this flash drive's data has never been used (so likely just plugged into Windows and formatted), it's unlikely that I'm gonna bother rotating all of the contents that were on that flash drive.

That said however, my emails now all have signatures underneath them as follows:
Met vriendelijke groet / Best regards,
[my name]

- My outbound email is usually signed with my private key. If not, please don't hesitate to ask me about it through a different communication platform.

IMPORTANT: My keys have possibly been compromised. An encrypted flash drive on which this GPG keypair was stored has been stolen from me. I'm in the process of phasing out and replacing this key. Please do not use it to encrypt any emails to me anymore.

Not entirely sure whether I should remove or keep that last bit. As a potential employer, would you see this as a red flag (he's got encrypted data stolen from him, wtf that's incompetent), or as a nice thing to know that it was properly disclosed (so no secrecy around potential data breaches)? Both seem equally likely so I'm a bit confused about what I should do.

When you do a login encryption using AES, rot13, Base64, rot13...
AES Password is also encrypted using rot13, Base64, rot13.

AND SOMEHOW IT DOESNT WORK FOR EVERYONE.

I cry

Created Linux instalation flashdrive on my notebook like thousand times before. Simple dd if=img of=/dev/sdb . Tried installing system from it but somehow doesn't work. And the it hit me. I have both magmetic drive and SSD in my laptop! So insted of flashdrive, I have bootable beging of my SSD where my encrypted lvm used to be :-( Luckilly I lost just EFI, boot, swap, rootfs, few git repositories and ccache.

So client wants an android app that implements some legacy Epson printer SDK, works on a chinese Windows device with an android Emulator on it, connects to local Webservice that had to be configurated and ran (local Network) , sends and tracks data, if Server down then handle it on the Client and reconnect as soon as Server up, running own TCP Server on Android device that listens for specific http requests, which make the android connect to an Epson printer to start printing. The stuff that is being printed? A png file that has to be converted to a Bitmap, a QR Code that has to be generated by the bugged base64 encrypted stuff coming via http in (webserver-> Android TCP server)
Dont forget the Software Design (MVP), documentation, research etc.. Im about to finish the app , its my 5th day on this Project, the 6th day was planned to be full testing. Client Calls me and ask me how far I am, I reply, he says ok. 30 minutes later he tells me he wont pay me next time that much because this work should take 3 days, or even 2. "A senior Android developer could do this in 2 days"... When i sent him my notices he called me a liar, his webdev has alot of experience and told him it should take 2-3 days...ffs

Fucking shit for brains authors that think the digital world is a fantasy realm where everything can happen just to aid their story. Out of boredom i watched "scorpion" today, a tv series about a group of geniusses which are a special case task force.
They got a visitor from the government saying the servers from the federal reserve bank were encrypted with ransomware. I already twitched when they said the economic system would collapse if the servers were left inoperational for a few days. Then one guy got to his desk and "hacked" the fed network to check... he then tried to remove the malware but "it changed itself when observed". But they got the magical fingerprint of the device that uploaded it. In the end some non-programmers created the malware, but it is super fast and dangerous because it runs on a quantum computer which makes it hyper fast and dangerous. They got to the quantum computer which was a glowing cube inside another cube with lasers going into it and they had to use mirrors to divert the lasers to slow down that quantum thingy. And be careful with that, otherwise it explodes. In the end the anti-malware battled the malware and won, all in a matter of minutes.

This is a multimillion hollywood production. How can a movie this abusive to computer science even air on television? Shit like this is the reason people still think the cyberworld is some instable thing that can explode any second. It's not, it's an instable thing that can break down any second. I remember "ghost in the wires" and people had surreal imaginations about the internet already. Shit like this is why people stay dumb and think everything can be done in seconds. If i ever should encounter one of these idiots i tell him i have an app that can publish his browser history by taking a picture of his phone and watch his reaction.
Time to shuw down the tv and learn vim again.

Tech idea:

Scrambled/encrypted computer display, viewable through lenses that decrypt/unscramble it for one user only. Useful for public places, where someone might be trying to watch your screen.

Portable from machine to machine through the use of RFID, biometrics, or just a password.

TLDR; Default admin login on WEP encrypted WLAN router for getting free stuff at my hair stylist studio.

Free WLAN in my hair stylist studio: They had their WEP key laying around in the waiting area. Well, I am not very happy with WEP, thought that they never heard of security. Found the default GW address, typed it into my browser and pressed Enter, logged in with admin/1234 and voila, I was root on their ADSL router 😌 Even more annoyed now from such stupidity I decided to tell the manager. All I told him was: You use a default login on your router, you give the WiFi password for free, WEP is very very insecure and can be hacked in seconds, and do you know what criminals will do with your internet access? He really was shocked about that last question, blank horror, got very pale in just one sec. I felt a little bit sorry for my harsh statement, but I think he got the point 😉 Next problem was: he had no clue how to do a proper configuration (he even didn't knew the used ISP username or such things). Telled me that 'his brother' has installed it, and that he will call him as soon as possible. Told him about everything he should reconfigure now, and saw him writing down the stuff on a little post-it.

Well, he then asked me what he can pay me? Told him that I don't want anything, because I would be happy when he changes the security settings and that is pay enough. He still insisted for giving me something, so I agreed on one of a very good and expensive hairwax. Didn't used it once 😁

Some weeks later when I was coming back for another hair cut: Free WLAN, logged in with admin/1234, got access and repeated all I did the last time once more 😎

HOW CAN YOU NOT LEARN FROM FAILS??

Because I am very interested in cyber security and plan on doing my masters in it security I always try to stay up to date with the latest news and tools. However sometimes its a good idea to ask similar-minded people on how they approach these things, - and maybe I can learn a couple of things. So maybe people like @linuxxx have some advice :D Let's discuss :D

1) What's your goto OS? I currently use Antergos x64 and a Win10 Dualboot. Most likely you guys will recommend Linux, but if so what ditro, and why? I know that people like Snowden use QubesOS. What makes it much better then other distro? Would you use it for everyday tasks or is it overkill? What about Kali or Parrot-OS?

2) Your go-to privacy/security tools? Personally, I am always conencted to a VPN with openvpn (Killswitch on). In my browser (Firefox) I use UBlock and HttpsEverywhere. Used NoScript for a while but had more trouble then actual use with it (blocked too much). Search engine is DDG. All of my data is stored in VeraCrypt containers, so even if the system is compromised nobody is able to access any private data. Passwords are stored in KeePass. What other tools would you recommend?

3) What websites are you browsing for competent news reports in the it security scene? What websites can you recommend to find academic writeups/white papers about certain topics?

4) Google. Yeah a hate-love relationship, but its hard to completely avoid it. I do actually have a Google-Home device (dont kill me), which I use for calender entries, timers, alarms, reminders, and weather updates as well as IOT stuff such as turning my LED lights on and off. I wouldn"t mind switching to an open source solution which is equally good, however so far I couldnt find anything that would a good option. Suggestions?

5) What actions do you take to secure your phone and prevent things such as being tracked/spyed? Personally so far I havent really done much except for installing AdAway on my rooted device aswell as the same Firefox plugins I use on my desktop PC.

6) Are there ways to create mirror images of my entire linux system? Every now and then stuff breaks, that is tedious to fix and reinstalling the system takes a couple of hours. I remember from Windows that software such as Acronis or Paragon can create a full image of your system that you can backup and restore at any point to get a stable, healthy system back (without the need to install everything by hand).

7) Would you encrypt the boot partition of your system, even tho all data is already stored in encrypted containers?

8) Any other advice you can give :P ?

I really love Linux, but i GODDAMN HATE, how nearly no Distro supports installing it on a Custom LVM.
I mean, i just want to have a custom LVM, inside of an encrypted Partition in other Distros than Ubuntu, Debian or Opensuse.

In the time I was attempting to learn C++ I was attempting to program an application that encrypted a file. Sounds cool but at the time I had no idea on how encryption worked and it didn’t go well. And didn’t work

Fucking cocksucker, I shut my macbook down at home, go to college and BAM the FUCKING THING WONT START ANYMORE
LIKE WTF IT HAS BEEN 15 MINUTES BETWEEN WORKING FINE AND NOT WORKING AT ALL FUCKING PIECE OF UTTER SHIT

Now I probably have to reinstall and all that fucking hell,

(ps its en encrypted drive installation so I can log in see the progress bar and then it shuts down)

Rant on me myself.

After being a professional coder (ie having a bachelor degree) for 11 years now, I finally have a decent and reasonable backup.

I use borg to backup to my raid 1, which is local, in my corridor near the ceiling. I use a Intel NUC with two external USB3 HDDs attatched. As I already had data on them, I went for a btrfs raid 1.

The second level of my backup solution is my brother. It's 50km to his flat. He's got a banana pi with my third HDD attached. I connect to his pi via VPN. The VPN is done via an AVM Fritz! Box. No ads, I just like those boxes (modem and router).
The backup is encrypted, of course.

Now, after ten years, I finally got a decent backup solution. Wow. This feels great! 😎

Mozilla really knows how to nudge one to not use email encryption by default.
Since Thunderbird has native support for OpenPGP encryption, i can only chose to encrypt all or no messages by default. There is no opportunistic mode and there are no per-reciepient encryption preferences. The Enigmail addon had both.
So i obviously have gone for encrypt-by-default.

But since then, whenever i want to send a message to the majority of my contacts, i have to manually disable the encryption or get annoyed by the no-key-found dialog.
I thought, i would get the muscle memory to just disable encryption for recipients for wich i don't expect to have a key.
But they also made the GUI so i have to open a dropdown and then click on the right item to do that. All the items basically look the same, as there is no color coding or specific icon for them. The item labels are also too long for unconscious pattern recognition.
So i didn't got that muscle memory.

I now have turned off encryption by default and will probably forget to enable it for some emails wich i actually could send encrypted...

I love working on legacy products. You just need a good shower and possibly a therapist after.

- Sensitive data sent over the internet encrypted with DES (not even 3DES). Guess it doesn't matter that the key (singular, for the last decade) is basically 0123456789ABCDEF.

- Client databases with open default port, admin/admin superuser.

- Critical applications (potential for substantial property damage, maybe loss of life) with a single point of failure and without backup.

Suggestions, to slow down a bit with sales, so we have time to rewrite this steaming pile of crap are met with the excuse: be more pragmatist, this is standard industry practice.

Some of this shit can be fixed on my own time if my conscience nags too much, but others would require significant investment of time from multiple developers, which would slow down new business.

Guess the pay is ok, so that's something...

Got one right now, no idea if it’s the “most” unrealistic, because I’ve been doing this for a while now.

Until recently, I was rewriting a very old, very brittle legacy codebase - we’re talking garbage code from two generations of complete dumbfucks, and hands down the most awful codebase I’ve ever seen. The code itself is quite difficult to describe without seeing it for yourself, but it was written over a period of about a decade by a certifiably insane person, and then maintained and arguably made much worse by a try-hard moron whose only success was making things exponentially harder for his successor to comprehend and maintain. No documentation whatsoever either. One small example of just how fucking stupid these guys were - every function is wrapped in a try catch with an empty catch, variables are declared and redeclared ten times, but never used. Hard coded credentials, hard coded widths and sizes, weird shit like the entire application 500ing if you move a button to another part of the page, or change its width by a pixel, unsanitized inputs, you name it, if it’s a textbook fuck up, it’s in there, and then some.

Because the code is so damn old as well (MySQL 8.0, C#4, and ASP.NET 3), and utterly eschews the vaguest tenets of structured, organized programming - I decided after a month of a disproportionate effort:success ratio, to just extract the SQL queries, sanitize them, and create a new back end and front end that would jointly get things where they need to be, and most importantly, make the application secure, stable, and maintainable. I’m the only developer, but one of the senior employees wrote most of the SQL queries, so I asked for his help in extracting them, to save time. He basically refused, and then told me to make my peace with God if I missed that deadline. Very helpful.

I was making really good time on it too, nearly complete after 60 days of working on it, along with supporting and maintaining the dumpster fire that is the legacy application. Suddenly my phone rings, and I’m told that management wants me to implement a payment processing feature on the site, and because I’ve been so effective at fixing problems thus far, they want to see it inside of a week. I am surprised, because I’ve been regularly communicating my progress and immediate focus to management, so I explain that I might be able to ship the feature by end of Q1, because rather than shoehorn the processor onto the decrepit piece of shit legacy app, it would be far better to just include it in the replacement. I add that PCI compliance is another matter that we must account for, and so there’s not a great chance of shipping this in a week. They tell me that I have a month to do it…and then the Marketing person asks to see my progress and ends up bitching about everything, despite the front end being a pixel perfect reproduction. Despite my making everything mobile responsive, iframe free, secure and encrypted, fast, and void of unpredictable behaviors. I tell her that this is what I was asked to do, and that there should have been no surprises at all, especially since I’ve been sending out weekly updates via email. I guess it needed more suck? But either way, fuck me and my two months of hard work. I mean really, no ego, I made a true enterprise grade app for them.

Short version, I stopped working on the rebuild, and I’m nearly done writing the payment processor as a microservice that I’ll just embed as an iframe, since the legacy build is full of those anyway, and I’m being asked to make bricks without straw. I’m probably glossing over a lot of finer points here too, just because it’s been such an epic of disappointment. The deadline is coming up, and I’m definitely going to make it, now that I have accordingly reduced the scope of work, but this whole thing has just totally pissed me off, and left a bad taste about the organization.

Since, I am already using Mullvad's vpn service, I also stumbled on https proxies.
Is it still safe to enter my devRant login data, when I would use a https proxy in FF's settings?
The Proxy is a free elite https proxy.
And devRant also uses SSL.
The traceroute would seem like this I guess.:
VPN(*le me sendin my password -> SSL Proxy -> SSL DevRant)
--------------------
Following that path, I would assume that it would be like this in detail:
HTTPS Request
-PW gets encrypted by VPN service
-" " " again " HTTPS Proxy
-" " " again " devRant itself

Novice computer enthusiasts argue that an application is safe because it's end-to-end encrypted.. but they don't realize this doesn't guarantee safety because of MITM attacks on possibly exploitable midpoints.

A good example of this is mail servers using TLS 1.2 but one or two of them not verifying certificate autorities.

Kind of dev related, during a Firefly one-shot roleplay:

GM: So you have a data chip in your pocket. Do you want to see what's on it?

Me (hesitant): ...Kinda. *wait* Okay, I put the chip into one of my computers.

GM: The data chip shows random gibberish--it's encrypted. Your engineer may know how to decrypt it.

Me: Okay. Hey, Engineer! *holds imaginary data chip out to her* Decrypt this!

Engineer: No. *pause*, *sighs* Fine. But we need to be careful.

GM: Yes, now time for technobabble...

Me: So once we decrypt this, it's probably going to look for the MAC address, so we need an air-gapped machine--a machine that's never been online before--and a TAILS LiveUSB. We'll decrypt the data chip and then destroy the computer.

GM: ...Technobabble.

Fighter: ....I actually understood that and it actually makes sense. Good job. *fist bump*

ok guys, im having a little trouble diving into this, anyone wanna help?

ive got a server set up, and a client app. the client has a the server's public key built in, and encrypts the aes key/iv and sends it to the server, simple enough.

but now, after the first socket connection is over, what do i do? ive got both sides with the same aes key, but the server has multiple keys for other clients. so when the first client connects again, how do i know which key to use?

ive tried implementing a session class where there's a session id, but it doesnt work because the id must be encrypted, too. can someone help a fellow ranted out?

A hidden page that you enter a user name and it displays the encrypted and unencrypted versions of their password... It was quickly deleted after I stumbled across it. I assume it was to test a homemade encryption algorithm that wasn't worth much anyway, passwords shouldn't be reversible

it would help if i had time to learn even a little more C, as I'm bumbling my way through the Linux kernel and GodMode9 (an amazingly powerful 3DS manip tool for everything from the SD card to the NAND to literally raw FIRM0/FIRM1 bootloader access) to try amd patch some code from GM9 into the kernel to handle the SD card *properly* so Linux 3DS doesn't constantly hang when reading/writing to the SD card, to enable Wi-Fi access (same bus location and similar bus structure as SD/NAND access, different processor,) enable NAND decryption and access (yes, really, NAND is encrypted via software, which is... ...fun...) and more.

tl;dr: the 3DS hardware, C, and others' code collectively make me wanna slit my fucking wrists. Hopefully my sacrifice allows higher-level programming languages to be visble for low-level jobs in the future.

The coolest project I ever worked on wasn't programming per second, though it involved a bit of scripting. The company I worked for had an FTP over TLS backup solution and it was put together with glue and paperclips by a guy that hadn't the slightest idea what he was doing. In order to conform with the insurance, data had to be encrypted. I setup a raid-ed server with full disk encryption on the raid volume that fetched the key over the network at boot from another secure server. I wrote a series of scripts for provisioning users and so on. The backup connections was sftp using a ssh tunnel, the users were chrooted to their own home directories, and were unable to open shells. The system was 100x more robust and secure than the original. I set it up on short notice and received absolutely no recognition for saving the company's ass, but it was definitely a fun project.

Will a brand new MacBook Pro make your day the worst?

Yes! It will if you are an iOS developer who fucks with xCode everyday.

Let me tell you the story of my day with the brand new MacBook Pro.

I wanted to build my application for iOS 13. For that I should have the latest xCode latest version. For the latest xCode version to work I should have the latest OS.

It took a long fucking time for downloading the latest OS dmg file. And for the fuck sake I was not able to install the same as the file vault was being encrypted.

That fucking encryption thing took half a day. And then I installed the OS. Then, I waited for a long time while the pile of shit(xCode) was downloading.

Then I installed xCode too. And now you know what the day ends and it's time to fucking sleep.

At the time, I'm working on a simple RAT, for leaning purpose, written I'm Go.
Now simple command-execution work's and I want to implement an encrypted connection between the client and the C&C-Server.
I know Go has some kind of TLS in its standard library, but is it really usable, or would it be easier to just implement my own simple encryption-module with some RSA and AES?

I dug up my old ledger web app that I wrote when I was in my late twenties, as I realized with a tight budget toward the end of this year, I need to get a good view of future balances. The data was encrypted in gpg text files, but the site itself was unencrypted, with simple httpasswd auth. I dove into the code this week, and fixed a lot of crap that was all terrible practice, but all I knew when I wrote it in the mid-2000s. I grabbed a letsencrypt cert, and implemented cookies and session handling. I moved from the code opening and parsing a large gpg file to storing and retrieving all the data in a Redis backend, for a massive performance gain. Finally, I switched the UI from white to dark. It looks and works great, and most importantly, I have that future view that I needed.

When to log into an encrypted vm that I set up for finances, and realized I had forgotten my password, to decrypt it. Well after a few min I gave up and wrote a short program with all my sees, and rules for altering the seeds and combinations there of.

Got back a few thousand and plugged it into a macro script and went to do chores for my wife. Came back and was in.

To be honest I check on it somewhere in the middle and thought oh crap did I use my dogs name? I didn't but now I am switching to a password manager.

So today I set up an ubuntu server with LVM, encrypted root partition and decryption via usb key.

That shit is insane dude.

Having gone to a bank to reset a password again today (Yes, I forgot it for like... 3rd time, don't judge me, its my backup bank account I need to access like... once a year), I was once again made to think - I come in, give them my state ID by which they authorize that I can even make a password reset request.

Then they give me a tablet to... sign a contract addendum?

Its not the contract part that always makes me stop and think though - its the "sign" part.

I'd wager that I am not the only one who only ever uses a computer to write text these days. So... My handwriting got a lot jerkier, less dependable. Soooo... My signature can be wildly different each time.......

And if my signature varies a lot... then... what is the point of having it on a piece of paper?

I know its just a legal measure of some sort... And that, if it came down to someone impersonating me and I'd go to court with the bank, there would be specialists who can tell if a signature was forged or not... But...

Come on, the computer world has so much more reliable, uncrackable, unforgable solutions already... Why... Don't all folks of the modern world already have some sort of... state-assigned private/public keypairs that could be used to sign official documents instead?

It costs money, takes time to develop etc... But... Then, there would not only be no need to sign papers anymore... And it would be incredibly hard to forge.

The key could even be encrypted, so the person wishing to sign something would have to know a PIN code or a password or something...

tl;dr: I hate physical signatures as a method of authentication / authorization. I wish the modern world would use PKI cryptography instead...

anybody knows about ransomware the filesystem got encrypted and should I pay 200$ for unlocking?

The amount of energy spent to just write ‘Hi’ and click a send button is so big that we should consider banning of sending hi messages.

Instead of just saying “Hi!” we are now using analog to digital preprocessors that convert it to bunch of 0 and 1 to send it over communication layer and deliver it to other human being that will convert it from digital to analog by reading it but that is simple.

By sending message using phone we also:
- save it to local phone
- convert it to couple protocols
- transmit it over air so make connection to internet provider services that would generate logs on this provider as well as whole routing table before it gets to the target person
- save it on messaging provider disk
- probably be processed by filters by provider, sometimes be reviewed or listened by third parties and also processed in bulk by artificial intelligence algorithms
- finally delivered to target phone and saved there where that person would just change this text to their inner voice and save it
- sometimes encrypted and decrypted
- sometimes saved on provider
- sometimes saved on phone manufacturer cloud backup
- don’t get me started on people involved to keep this infrastructure in place for you just to say hi

There are also some indirect infinite possibilities of actions for example:
- emit sound and light that can lead to walking from one room to other
- the floor in your house is destroyed cause of it so you need to renovate your floor
- sound can expose your position and kill you if you’re hiding from attacker
- sound can wake you up so you wake up in different hours
- it can stop you from having sex or even lead to divorce as a result simple hi can destroy your life
- can get you fired
- can prevent from suicide and as a result you can make technology to destroy humans

and I can write about sound and light all day but that’s not the point, the point is that every invention makes life more complicated, maybe it saves time but does it really matter ?

I can say that every invention we made didn’t make world simpler. The world is growing with complexity instead.

It’s just because most of those inventions lead to computer that didn’t make our world simpler but made it more complicated.

Question time:
What's the general opinion around here on Authy for 2FA?

I've been down the road of phone wipes and phone swaps before that blow out the Google Auth codes which is nothing but a royal pain in the ass to get access back to all the accounts setup.

Authy having encrypted backups gives me some level of belief they can do what I want them to do, but I figured I would ask around before transferring over since... well that's a pain in the ass too 😂

It was the last year of high school.

We had to submit our final CS homework, so it gets reviewed by someone from the ministry of education and grade it. (think of it as GPA or whatever that is in your country).

Now being me, I really didn’t do much during the whole year, All I did was learning more about C#, more about SQL, and learn from the OGs like thenewboston, derek banas, and of course kudvenkat. (Plus more)

The homework was a C# webform website of whatever theme you like (mostly a web store) that uses MS Access as DB and a C# web service in SOAP. (Don’t ask.)

Part 1/2:

Months have passed, and only had 2 days left to deadline, with nothing on my hand but website sketches, sample projects for ideas, and table schematics.

I went ahead and started to work on it, for 48 hours STRAIGHT.

No breaks, barely ate, family visited and I barely noticed, I was just disconnected from reality.

48 hours passed and finished the project, I was quite satisfied with my it, I followed the right standards from encrypting passwords to verifying emails to implementing SQL queries without the risk of SQL injection, while everyone else followed foot as the teacher taught with plain text passwords and… do I need to continue? You know what I mean here.

Anyway, I went ahead and was like, Ok, lets do one last test run, And proceeded into deleting an Item from my webstore (it was something similar to shopify).

I refreshed. Nothing. Blank page. Just nothing. Nothing is working, at all.

Went ahead to debug almost everywhere, nothing, I’ve gone mad, like REALLY mad and almost lose it, then an hour later of failed debugging attempts I decided to rewrite the whole project from scratch from rebuilding the db, to rewriting the client/backend code and ui, and whatever works just go with it.

Then I noticed a loop block that was going infinite.

NEVER WAIT FOR A DATABASE TO HAVE MINIMUM NUMBER OF ROWS, ALWAYS ASSUME THAT IT HAS NO VALUES. (and if your CPU is 100%, its an infinite loop, a hard lesson learned)

The issue was that I requested 4 or more items from a table, and if it was less it would just loop.

So I went ahead, fixed that and went to sleep.

Part 2/2:

The day has come, the guy from the ministry came in and started reviewing each one of the students homeworks, and of course, some of the projects crashed last minute and straight up stopped working, it's like watching people burning alive.

My turn was up, he came and sat next to me and was like:

Him: Alright make me an account with an email of asd@123.com with a password 123456

Me: … that won't work, got a real email?

Him: What do you mean?

Me: I implemented an email verification system.

Him: … ok … just show me the website.

Me: Alright as you can see here first of all I used mailgun service on a .tk domain in order to send verification emails you know like every single website does, encrypted passwords etc… As you can see this website allows you to sign up as a customer or as a merc…

Him: Good job.

He stood up and moved on.

YOU MOTHERFUCKER.

I WENT THROUGH HELL IN THE PAST 48 HOURS.

AND YOU JUST SAT THERE FOR A MINUTE AND GAVE UP ON REVIEWING MY ENTIRE MASTERPIECE? GO SWIM IN A POOL FULL OF BURNING OIL YOU COUNTLESS PIECE OF SHIT

I got 100/100 in the end, and I kinda feel like shit for going thought all that trouble for just one minute of project review, but hey at least it helped me practice common standards.

Just received this really weird email. Probably spam, but why even bother when there is no link or attachment? Maybe it is encrypted... 🤔 What do you think? Anyways, the server has SSH enabled anyone care to bruteforce? :^)

Why do some people feel the need to prove their stupidity and utter lack of skill in the face of the world?!?!
Yesterday I learned that a sister company is hiring an intern civil engineer to code some application plugins connected to our IS ?!?!? How the fuck do you think he can only understand what the fuck we do?

To put it in context, I'm kind of the CDO of a French medium group (a little cluster of companies), as the group is in the construction industry I'm the CTO for all Computer things. Inside the group, I'm the CTO of the digital factory. So the group IS is a microservice decentralized API REST-based architecture.

Next Monday we'll have a meeting, so I can explain to them why it's a FUCKING STUPID IDEA!!!! The only good thing is that any application programming done outside of the Digital Factory will be handled as an External Company Application, so it's not my problem to secure it, debug it, or simply make it work. And they already know that I'll enforce this ruling!!!

But WHY the fuck do they still think any mother fucker can professionally program!!!!!! Every time I have to deal with them It's horrendous!!!! I had to prove them why using a not encrypted external drive for a high security mission It's stupid!!!, and why having the same password for every account is FUCKING STUPID!!!

The most ridiculous part is they have a guy who really believe he has some IT skills!! Saying things like "SVN" it's a today tool (WTF), firewall are useless, etc....

WHY!!!! WHY!!!!

That feeling when you debug the Users table in sql, which has a Password field encrypted with hash, but most of the demo users use the same Adminadmin password, so you recognize the other users password because you rembered the hash

So I was hacked, this guys encrypted all my files and asked me to pay BTC to decrypt it. They even changed my wallpaper and gave me put instructions on all my folder directories on how to pay and recover my files

OK so encrypted my system drive during install. So far so cool. It also prompts me to enter the password before loading the OS. However if I misstype it it kicks me in grub rescue mode instead of asking me to reenter it. Wtf D: Can I change this?

Why can't the entire internet be a encrypted peer-peer network ?
Not a fan of centralised server system :(

A long time ago you sent me an email with the subject 'I love you', I then got so excited that I forwarded the letter to all my contacts, and they forwarded it too.. I can't describe the words for the feelings I had back then for you. I felt into love with you, really. But there were always troubling moments for me.

For example when 'Code Red' showed up and found your backdoor. Man I was pissed at that time. I didn't know what to do next. But things settled, and we found each other again.

And then that other time when this girl named 'Melissa' was sending me some passwords to pr0n sites, I couldn't resist. She was really awesome, but you know, deep in my heart that was not what I wanted. I somehow managed to go back to you and say sorry. We even moved together in our first flat, and later in our own house. That was a really good time, I love to think back at those moments.

Then my friend 'Sasser' came over to us one night, do you remember how he claimed that big shelf in our living room, and overflooded it with his own stuff, so that we haven't a clue we are reading yet offshelve? Wow that was a disturbing experience.

But a really hard time has come when our dog 'Zeus' got kicked by this ugly trojan horse. I really don't want go into details how the mess looked like after we discovered him on our floor. Still, I am very sorry for him that he didn't survived it :(

Some months later this guy named 'Conficker' showed up one day. I shitted my pants when I discovered that he guessed my password on my computer and got access to all my private stuff on it. He even tried to find some network shares of us with our photos on it. God, I was happy that he didn't got access to the pics we stored there. Never thought that our homemade photos are not secure there.

We lived our lives together, we were happy until that day when you started the war. 'Stuxnet..'! you cried directly in my face, 'you are gonna blow up our centrifuges of our life', and yeah she was right. I was in a real bad mood that days back then. I even not tried to hide my anger. But really, I don't know why all this could happen. All I know is, that it started with that cool USB stick I found on the stairs of our house. After that I don't remember anything, as it is just erased from my memory.

The years were passing. And I say the truth here, we were not able to manage the mess of our relationship. But I still loved you when you opened me that you will leave. My 'Heartbleed' started immediately, you stabbed it where it causes the most pain, where I thought that my keys to your heart are secured. But no, you stabbed even harder.

Because not long after that you even encrypted our private photos on our NAS, and now I am really finished, no memory which can be refreshed with a look at our pictures, and you even want my money. I really 'WannaCry' now...

I am trying to "invent" secure client-side authentication where all data are stored in browser encrypted and only accessible with the correct password. My question is, what is your opinion about my idea. If you think it is not secure or there is possible backdoor, let me know.

// INPUT:
- test string (hidden, random, random length)
- password
- password again
// THEN:
- hash test string with sha-512
- encrypt test string with password
- save hash of test string
// AUTH:
- decrypt test string
- hash decrypted string with sha-512
- compare hashes
- create password hash sha-512 (and delete password from memory, so you cannot get it somehow - possible hole here because hash is reversible with brute force)

// DATA PROCESSING
- encrypt/decrypt with password hash as secret (AES-256)

Thanks!

EDIT: Maybe some salt for test string would be nice

# NEED SUGGESTIONS

I am working on a secure end to end encrypted note taking web application. I am the sole developer and working on weekends and will make it open source.

The contents you save will be end to end encrypted, and server won't save the key, so even I can't read or NSA or CIA.

So I wanted to know if the idea is good? There are lot of traditional note sharing apps like Google Keep and Evernote. But they store your stuff in plaintext. So as a user will u switch to this secure solution?