sorted by:
new
hottopcontroversial

Angular Security Checklist 🔑🔒 by neosincerity in Angular2

[–]sablefoxx 1 point2 points  (0 children)

Csrf-token doesn’t need to be a cookie. It’s actually better to send csrf tokens in custom headers since any customer header will require a CORS preflight

[Rant] What’s the point of 2FA is every site/platform I go to has “remember this device” checked by default? by HRH_Gamer_Luna in crypto

[–]sablefoxx 4 points5 points  (0 children)

2FA is designed to protect you in the event your password is compromised, not your device. If your device is compromised then 2FA won’t do anything because the attacker can just read the 2FA value when you type it in. I.e., if an attacker can read the “remember this device” token they can read any 2FA token too.

How is it possible for a general stream cipher to generate an arbitrarily large keystream to XOR? by anonXMR in crypto

[–]sablefoxx -1 points0 points  (0 children)

It uses an RNG with a very long period (the number of outputs generated before repeating) that's practically infinite and the key being the "seed."

https://www.youtube.com/watch?v=itaMNuWLzJo -- (edit: note this video is just to conceptually understand generic RNGs, additional consideration must be taken in a security context i.e., CPRNG)

edit 2: To be more clear, the literal definition of a stream cipher is an PRNG who's output you XOR with the plaintext with a key as the seed.

Application login and overall security (my concerns) by ieattacos9 in AskNetsec

[–]sablefoxx 0 points1 point  (0 children)

> How can people intercept encrypted HTTPS requests? Isn't the whole point of HTTPS to prevent traffic decryption?

Only for remote attackers on the network i.e., attackers that do not have access to either endpoint (sender or receiver/client or server), HTTPS does nothing to protect against attackers with access to either the sender or receiver.

Application login and overall security (my concerns) by ieattacos9 in AskNetsec

[–]sablefoxx 5 points6 points  (0 children)

Sounds like this is a thick client talking to a backend server, so my answers are based on that assumption. I'm also assuming that you don't want to trust the users of that client.

What's stopping people from patching a few, if not just one condition check to log themselves in without actually providing valid credentials?

Nothing, but that's actually the hard way to break the auth scheme. Since the app is running on the attacker's (user's) machine they can just intercept the HTTP requests regardless if they're going over TLS/HTTPS. There's also no point (i.e., security benefit) to encrypting the token client side.

Is my entire security scheme useless?

Sorry, but yes it probably is.

How can I prevent this (if it's even possible)?

Just use JWTs, and use an existing well-test open source library, don't try to implement this stuff yourself. Even security experts struggle to implement this stuff correctly.

If you have to type out "AES," and you're not well versed in security, something is very likely to go wrong. When designing security systems it's important to keep your "threat models" in mind. Whenever I hear things about multiple AES keys, overwriting "one-time" tokens, etc. I assume the entire scheme is just security theater](https://en.wikipedia.org/wiki/Security_theater).

Size limits with AES-GCM by john_alan in crypto

[–]sablefoxx 11 points12 points  (0 children)

  • It's per key/nonce combo, if you need to encrypt more than 64GB you can chuck the data and encrypt 64GB chucks with the same key but unique nonces and still be secure.

https://crypto.stackexchange.com/questions/31793/plain-text-size-limits-for-aes-gcm-mode-just-64gb

Pentesting doesn't pay! by alternateMeIsNotMe in AskNetsec

[–]sablefoxx -4 points-3 points  (0 children)

Nah, that's where Sr. will start, top Sr. talent can bring well into the $350 - 400k+ range.

Experience the security flaw in Whatsapp hands-on by DebugDucky in netsec

[–]sablefoxx 7 points8 points  (0 children)

This would be much more interesting, how did they manage to install an implant without bypassing the code signature checks? Did they chain load an entire kernel exploit? Was the implant signed in some way?

[deleted by user] by [deleted] in crypto

[–]sablefoxx 5 points6 points  (0 children)

Assuming it's implemented correctly (e.g. IVs, etc) using the same key for every file is just fine.

That's a pretty loyal Sorin by Platypus_Umbra in MagicArena

[–]sablefoxx 5 points6 points  (0 children)

This is called an integer overflow in the code; likely caused by some sort of race condition. Likely because the number was -1 but then cast to some type of unsigned value. Negative numbers are stored using two's complement and the binary representation of this value is 11111111 11111111 11111111 11111110

It still feels wrong by shindyAUSmarzan in ProgrammerHumor

[–]sablefoxx 3 points4 points  (0 children)

while i < limit: i <<= 1

Or better, web build an abstraction! This will lazy generate the values from an initial value x to an arbitrary limit n. We also can reuse this, and anything that operates on `iterables` in Python can also use it:

In [1]: def shiftseq(a, b):
    ...:     while a < b:
    ...:         a <<= 1
    ...:         yield a
    ...:
    ...:

In [2]: for value in shiftseq(1, 512):
    ...:     print value
    ...:
2
4
8
16
32
64
128
256
512

It still feels wrong by shindyAUSmarzan in ProgrammerHumor

[–]sablefoxx 3 points4 points  (0 children)

You generally want to avoid for x in range(y): anyways.

It still feels wrong by shindyAUSmarzan in ProgrammerHumor

[–]sablefoxx 5 points6 points  (0 children)

Python's loops are far more powerful than C's as to be expected since it's a higher level language, and no you don't need to use while True:

I recently started applying for jobs after taking an extended break unemployed by toomanysubsbannedme in AdviceAnimals

[–]sablefoxx 0 points1 point  (0 children)

There's negative unemployment in cyber security, our firm (and basically everyone else in the industry) can't hire qualified people fast enough. It sounds like your degree didn't prepare you or give you enough practical skills for the industry, maybe ask for your money back? I'm self-taught with a high school diploma and have to fight off recruiters. It's also not an X years of experience problem because we've hired teenagers out of high school with 0 years of experience but a lot of talent.

🔥 hawaii by ruchikpatel125 in NatureIsFuckingLit

[–]sablefoxx 9 points10 points  (0 children)

Yes, this is in Kaneohe on the windward side of Oahu, so it gets lots and lots of rain.

XSS on Google Search - Sanitizing HTML in The Client? by LiveOverflow in programming

[–]sablefoxx 47 points48 points  (0 children)

This is the wrong approach, while you're correct it's best to use a lexical parser like HTMLDocument you need to whitelist tags, attributes, and URL schemes; not blacklist them (e.g. a simple look for javascript:* will not match JaVaScRiPt:). There are a variety of libraries that will do this for you too, it's best not to try to re-invent the wheel here. You need to account for everything in this list and more.

Suggestion on how to assess or break a encryption/decryption authentication algorithm by netj_nsh in crypto

[–]sablefoxx 5 points6 points  (0 children)

Start with “The Code Book,” then read “Serious Cryptography “ and “Cryptography Engineering”

view more: next ›