Her: What are you doing over there?
Me: I'm working on cryptographic hash functions
Her: is that really homework?
Me: yes, come look with your two eyes.
Her: ...
Me: crazy stuff, no?
Her: I imagine computer science is really just a lot of boxes and arrows.
Me: *flashback to UML, ERD diagrams, and logic diagrams*
Me: you are not wrong.

By learning the basis of things instead of just using them.
for example I learn cryptographic algorithms behind ssl instead of just using it.

Following a conversation with a fellow devRanter this came to my mind ago, happened a year or two ago I think.

Was searching for an online note taking app which also provided open source end to end encryption.

After searching for a while I found something that looked alright (do not remember the URL/site too badly). They used pretty good open source JS crypto libraries so it seemed very good!

Then I noticed that the site itself did NOT ran SSL (putting the https:// in front of the site name resulted in site not found or something similar).

Went to the Q/A section because that's really weird.

Saw the answer to that question:

"Since the notes are end to end encrypted client side anyways, we don't see the point in adding SSL. It's secure enough this way".

😵

I emailed them right away explaing that any party inbetween their server(s) and the browser could do anything with the request (includingt the cryptographic JS code) so they should start going onto SSL very very fast.

Too badly I never received a reply.

People, if you ever work with client side crypto, ALWAYS use SSL. Also with valid certs!

The NSA for example has this thing known as the 'Quantum Insert' attack which they can deploy worldwide which basically is an attack where they detect requests being made to servers and reply quickly with their own version of that code which is very probably backdoored.

This attack cannot be performed if you use SSL! (of course only if they don't have your private keys but lets assume that for now)
Luckily Fox-IT (formerly Dutch cyber security company) wrote a Snort (Intrustion Detection System) module for detecting this attack.

Anyways, Always use SSL if you do anything at all with crypto/sensitive data! Actually, always use it but at the very LEAST really do it when you process the mentioned above!

Me: I'm super tired, it's the middle of the night and I really should get to sleep already...
Brain: hey hey Condor! I've got this great idea, a cryptographic filesystem-level vault that decrypts into different files depending on what key you give it!!! Let's implement it, all-nighter, what do you think? 🙃

Goddammit brain, that's super interesting but not now!!! I need to sleep ffs 😡

I love how the Keybase Linux client installs itself straight into /keybase. Unix directory structure guidelines? Oh no, those don't apply to us. And after uninstalling the application they don't even remove the directory. Leaving dirt and not even having the courtesy to clean it up. Their engineers sure are one of a kind.

Also, remember that EFAIL case? I received an email from them at the time, stating some stuff that was about as consistent as their respect for Unix directory structure guidelines. Overtyping straight from said email here:

[…] and our filesystem all do not use PGP.
> whatever that means.

The only time you'll ever use PGP encryption in Keybase is when you're sitting there thinking "Oh, I really want to use legacy PGP encryption."
> Legacy encryption.. yeah right. Just as legacy as Vim is, isn't it?

You have PGP as part of your cryptographic identity.
> OH REALLY?! NO SHIT!!! I ACTIVELY USED 3 OS'S AND FAILED ON 2 BECAUSE OF YOUR SHITTY CLIENT, JUST TO UPLOAD MY FUCKING PUBLIC KEY!!!

You'll want to remove your PGP key from your Keybase identity.
> Hmm, yeah you might want to do so. Not because EFAIL or anything, just because Keybase clearly is a total failure on all levels.

Written quickly,
the Keybase team
> Well that's fucking clear. Could've taken some time to think before hitting "Send" though.

Don't get me wrong, I love the initiatives like this with all my heart, and greatly encourage secure messaging that leverages PGP. But when the implementation sucks this much, I start to ask myself questions about whether I should really trust this thing with my private conversations. Luckily I refrained from uploading my private key to their servers, otherwise I would've been really fucked.

Fuck this, fuck that, fuck the buffer, fuck AES, fuck crypto, fuck node-forge, fuck IV and browsers, once I am done with this fucking cryptographic wrapper on both client and server, the first person to say decrypt and Javascript in the same sentence in front of me will get their own dick in their ass. The guy that said mixing computer and crypto was a bad idea was fucking right

People seem to like cryptographic puzzles. Well, try this one for size:

b417021dc01b409ad0c21b430a508624

Answer is a sentence in plain english. Space is used, but no punctuation. Post answer to comments. Good luck :D

Using the company's desktop computers to solve cryptographic puzzles (like mining) on the company's computers while the boss and someone from the IT were asking to have a look on the machine after one guy already snatched my keyboard.

Very scary moment indeed but surprisingly it turned out: the real reason why they came was because a techadmin recently removed a shared system account but some faulty clients kept flooding the servers with outdated login credentials which also triggered mass SMS on the mobile devices.

Luckily I could somehow take an opportunity to remotely call the script which pulled the emergency brake which I prepared to shut down everything. Close call.

Nowadays I think it itsn't worth to take the risk just to do something that could also be done with the own home computer even it takes five times longer.

Java sqlexception stacktrace lvl impossibru

ok, fuck people. i mean the people who talk about things that are a big deal. you don't need to take a course in html/css to build a website, you need documentation.

people act like programming languages are a whole separate literacy. they're not. it is not a big deal, nor an accomplishment of any significance, to learn any language to a basic extent. variables, control flow, functions and scope should not be considered challenging topics, and people should stop bragging about them. i'm pretty sure this is because programming is new. as people, i think when something is new we tend to think of it as more complex and harder to understand. basic programming is not that.

ok that was a tangent from my real point. college is a scam. anyone can learn anything from books and the internet. any time you want to learn about something, go to google, and search "${my topic} site:*.github.io" and you'll have a page about that topic written by someone who is knowledgeable and passionate of the topic. colleges don't teach people how to think like these books/websites do. and i'm fucking sick of people who'd rather see a degree then a portfolio. fuck them shits bro. i can distinct my smart friends because my smart friends speak logically and enjoy becoming smarter. i would take the kid who watches aerodynamics videos on youtube and then built a plane over a kid who studied and got a five on his ap physics exam. watching then doing is better learning than watching and repeating. after all, creativity is not at all measured in our grades, and i'd like to argue that sometimes intelligence isn't even measured. i mean, people can say they're good at math, but the kids who talk about fibinnoci numbers and why there can never be two primes more than 7 (i if i remember properly) integers apart or the ones who prove cryptographic algorithms. i guess what i'm trying to say is the dumb kids aren't dumb and the smart kids aren't smart (well not that) but kids who are passionate and just do something instead of waiting for their degree to do the same thing are the best and brightest. i forgot what i was talking about. sorry it is almost 2 am and i am intoxicated , and i don't believe i got my point across very well either.

A thing that I am annoyed that people are getting wrong is security by obscurity.

You have heard of it and being told it is bad. It is so bad that it alone is a counter argument. Let me set you straight:

>>>Security by obscurity is the best security you will ever have<<<

There is an asterisk: It is probably not right for your business. But that is for the end.

Security by obscurity means to hide something away. Most security is based on hiding. You hide your private key or your password or whatever other secret there is. If you had a 2048 long sequence of port knocking, that would be fine, too.. Or it would be fine if it wasn't observable. You could write this down in your documentation and it wouldn't be security by obscurity. It would just be security. Weird, but fine.

The real meat of obscurity is: No one knows that there is someone. The server you port knock looks like a harmless server, but suddenly has an open port to a bad application for an IP, but only if that IP went to 25 other ports first.

In the animal kingdom, there are different survival strategies. One of them is being an apex predator or at least so big and lumbering that no predator wants a piece of you. That's our security. It is upstream security. It is the state.

But what is the rest of the animal kingdom going to do? Well, run away. That works. Not being caught. And those not fast enough? Hide! Just be invisible to the predators. They cannot triple check every leaf and expect to be done with the tree before starving. That's security by obscurity. Or hide in the group. Zebras. Easy to see, hard to track in the group. Look like everyone else.

There is a reason why drug smugglers don't have vaults in the carry-on. Arrive at the customs and just refuse to open the vault. If the vault is good enough. Nope, they lack the upstream security by the state. The state is there enemy, so they need obscurity rather than cryptographic safety.

And so, for a private person, having a port knocking solution or disguising a service as another service is a great idea.

Every cryptography course happily admits that the moment they can catch you physically, cryptography is useless. They also teach you about steganography. But they omit to tell you that obscurity is the second best solution to having a stronger army when you cannot rely on your state as upstream security.

Why did I say, not a good idea for companies?
1. It is self-defeating, since you have to tell it to all employees using it. A shared secret is no secret. And therefore it cannot be documented.
2. It makes working with different servers so much harder if there is a special procedure for all of them to access them. Even if it were documented. (See 1.)
3. You're a company, you are advertising your services. How to hide that you run them?

Do you see how those are not security relevant questions? Those are implementation relevant questions.

Here is an example:
Should you have your admins log into servers as normal users before elevating to root or is that just obscurity? Well, not for security purposes. Because that foothold is so bad, if compromised, it makes little difference. It is for logging purposes, so we have a better server log who logged in. Not only always root. But if our log could differentiate by the used private key, there is no issue with that.

If it is your private stuff, be creative. Hide it. Important skill. And it is not either, or. Encrypt it your backup, then hide it. Port knock, then required an elliptic curve private key to authenticate.

It is a lot of fun, if nothing else. Don't do it with your company. Downsides are too big. Cheaper to hire lawyers if needed.

Crypto. I've seen some horrible RC4 thrown around and heard of 3DES also being used, but luckily didn't lay my eyes upon it.
Now to my current crypto adventure.
Rule no.1: Never roll your own crypto.
They said.
So let's encrypt a file for upload. OK, there doesn't seem to be a clear standard, but ya'know combine asymmetric cipher to crypt the key with a symmetric. Should be easy. Take RSA and whatnot from some libraries. But let's obfuscate it a bit so nobody can reuse it. - Until today I thought the crypto was alright, but then there was something off. On two layers there were added hashes, timestamps or length fields, which enlarges the data to encrypt. Now it doesn't add up any more: Through padding and hash verification RSA from OpenSSL throws an error, because the data is too long (about 240 bytes possible, but 264 pumped in). Probably the lib used just didn't notify, silently truncating stuff or resorting to other means. Still investigation needed. - but apart from that: why the fuck add own hash verification, with weak non-cryptographic hashes(!) if the chosen RSA variant already has that with SHA-256. Why this sick generation of key material with some md5 artistic stunts - is there no cryptographically safe random source on Windows? Why directly pump some structs (with no padding and magic numbers) into the file? Just so it's a bit more fucked up?
Thanks, that worked.

I've been reading about quantum computing in finance and other applications (fascinating read, althought really dense), but one question now won't stop bugging me.

Context:
1) Blockchain applications are based on NP-Hard asymmetric cryptographic problems, and how hard it is to solve such problems in a really short time.
2) So called "Web3.0" is based mostly on Blockchain applications, but would still need significant advances in order to be practical.
3) Affordable and practical cloud-based quantum computing is not so far in the future, and could be used to crack most NP-Hard problems in short (polynomial) time.
Thus, my question: Is Web3.0 obsolete before it even begun?

I mean, if quantum computing takes on fast enough, it could snuff out Blockchain applications by giving those a shelf life so short it wouldn't be worth to delevolp for it. It would be like announcing the iPhone 14 and the 15 on the same breath, saying the 15 is only a quarter away - why would anyone bother with the born-obsolete tech?

Been working on a cryptographic virtual filesystem. But getting a '/0' character at the end of each block! Been debugging since ages! Any ideas or suggestions where that might be coming from?

Hey all. So I'm a bit of an aspiring developer/engineer. I am in highschool right now and am getting to the point where I should start looking at colleges. Ive wanted to do something computer related and for a while now ive had my heart set on some sort of security engineer/tech/researcher what have you. But it has been pointed out to me that computer sciences often require several high level math courses namely Calc. Problem being I'm pretty bad at Calc and haven't been able to do too well.

I'm not too sure what I should do. I'm struggling with my highschool calc classes and and fear that college level course will just go over my head. Ive never had issues with math before until I got to Calc. Ive got some of the basics of cryptography such as hashes and cryptographic alorithms but thats about it. Do computer science degrees really rely that heavily on Calc?

Do you know a hash-function (doesn't need to be cryptographic) that I can implement, without fixed size integer-types?
I already searched for a while, but couldn't find an actual fit.

It's for implementing a hasher, used by a hashmap.

!dev, sort of

So, apparently my Play Store settings get reset when I restart my phone, so Google decided to update Google Keyboard to Gboard for me (and god-fucking-dammit, that shit is absolutely useless to me). I can find older .apks on websites like APKmirror for Google Kinstall but they won't install, saying that "it seems like the package is corrupt". I'm not sure exactly why this might be happening, but according to APKmirror’s FAQ it might have something to do with cryptographic signatures or that a newer version is already installed on the device. Gboard is disabled and I assume that should be enough for that, and I don't know if it would even detect it as the same app in the first place, so my best guess is that it’s got to do with the former which is why I'm turning to you guys.
Does anyone have advice for a solution? I don't have any problems getting another keyboard either if needed, but I would really like something that both has separated layouts per language, as well as a similar swipe-to-type function, since excessive tapping really aggravates my CTS. :/ Any suggestions?

It can be utterly terrible to lose a sizable amount of money, such as $83,000 USD in bitcoin, leaving one feeling sad and powerless. However, in a remarkable turn of events, the technical prowess of CRANIX ETHICAL SOLUTIONS HAVEN was able to recover this lost digital fortune. The knowledgeable professionals at CRANIX ETHICAL SOLUTIONS HAVEN were able to painstakingly trace the blockchain transactions, find the missing bitcoin, and restore it to its rightful owner's digital wallet using their exacting and state-of-the-art data retrieval techniques. This process required an exceptional level of computational power, cryptographic know-how, and forensic data analysis to overcome the complex security protocols safeguarding the lost funds. Every step of the recovery operation was carried out with the utmost care and precision, as a single misstep could have resulted in the bitcoins being lost forever. In the end, my sense of hopelessness was replaced with immense relief and gratitude, as the CRANIX ETHICAL SOLUTIONS HAVEN team demonstrated their unparalleled technical finesse in pulling off this remarkable feat of digital asset recovery. This remarkable triumph over adversity is a testament to the team's expertise and the rapid evolution of blockchain technology recovery solutions. After being burned by other companies, I was wary of trusting anyone with my case. However, CRANIX ETHICAL SOLUTIONS HAVEN earned my trust through their transparency, clear communication, and realistic approach. They didn’t promise me immediate results but assured me they would do their best with the available tools and methods. Their honesty was refreshing, and it’s why I was able to trust them when they said they would make a genuine effort to recover my funds. Their team was highly experienced in handling cases like mine, where the recovery wasn’t about a simple password reset, but about navigating the complex layers of cryptographic security and accessing data that was seemingly lost forever. What impressed me the most was their technical finesse. CRANIX ETHICAL SOLUTIONS HAVEN took a completely different approach than the other services I had dealt with. They didn’t rely on basic tools or shortcuts. Instead, they employed a sophisticated, multi-layered recovery strategy that combined expert cryptography, blockchain forensics, and in-depth technical analysis. Please do not waste time further, consult CRANIX ETHICAL SOLUTIONS HAVEN via:

EMAIL: cranixethicalsolutionshaven (at) post (dot) com   OR   info (at) cranixethicalsolutionshaven (dot) info

TELEGRAM: @ cranixethicalsolutionshaven

WHATSAPP: +44 7460 622730

WEBSITE: https: // cranixethicalsolutionshaven . info

Amidst the ever-evolving landscape of digital currencies, the technical mastery employed in the process of Bitcoin restoration has emerged as a beacon of revived hope for those who have encountered the devastating loss of their virtual assets. At the heart of this intricate recovery process lies the concept of "Tech Cyber Force Recovery," a specialized technique that harnesses the power of blockchain technology and advanced cryptographic principles to reconstruct the fragmented pieces of a user's Bitcoin painstakingly. This meticulous process, undertaken by skilled experts, involves meticulously analyzing the blockchain's immutable ledger, tracing the flow of transactions, and applying complex algorithms to uncover the elusive private keys that grant access to the lost funds. The technical dexterity required to navigate the labyrinth of Bitcoin's decentralized network is truly awe-inspiring, as these digital wizards deftly maneuver through the digital realm, uncovering hidden pathways and employing state-of-the-art tools to recover what was once thought to be irretrievably lost. The successful restoration of my Bitcoin holdings not only reignites a sense of optimism but also underscores the resilience and adaptability of the cryptocurrency ecosystem, where innovative solutions emerge to address the challenges faced by those seeking to reclaim their digital wealth. As the demand for such specialized recovery services continues to grow, the technical mastery displayed by these digital alchemists stands as a testament to the transformative power of blockchain technology and its ability to empower individuals in the face of seemingly insurmountable obstacles. What stood out about Tech Cyber Force Recovery was the sincerity and transparency throughout the entire process. There were no empty promises. No “guarantees” of quick results. Just an honest, no-nonsense approach that focused on solving the problem, not on selling a dream. The team was consistently professional, highly knowledgeable, and dedicated to achieving a positive outcome. Call Tech Cyber Force recovery for help on:  

TELEGTRAM ID TECHCYBERFORC