1. 2

    I have been interested in dynamic malware analysis lately and found that cuckoo-sandbox is too difficult to work with. Still in Python2, many dependencies, many configuration files and software bugs that are not easily understood.

    I’m attempting to solve those issues in my own project, we’ll see how it goes.

    1. 1

      This is not a new attack vector, it has been documented for several years. What’s interesting is the fact that these companies allow their devs to install anything via their package management tool.

      1. 8

        I’m super conflicted about doing something like this to my own car. On one hand, I would love to mod my head unit, particularly if I could have it auto-log the forward and rearward-facing camera feeds to a storage device instead of having to install a bulky aftermarket dashcam.

        On the other hand, I don’t know what kind of safety-critical systems might be routed through or depend on the head unit functionality. I just can’t justify putting my life and the life of my passengers on the line because slapping a dashcam in wasn’t aesthetic enough for me.

        1. 2

          Modern cars have their critical systems decoupled from the infotainment system, as far as I know.

          1. 3

            In theory. In practice, we’ve seen multiple bugs in which compromising the head unit meant you could influence drivetrain and safety components as well, because the infotainment system was connected to the CANBUS of the car IIRC.

            1. 2

              as far as I know.

              ,,,,,

              as far as <a random person on the internet> knows

          1. 1

            I built a web app that stores text and links that I send to it. The app tries to parse a link’s article and store it. I interact with the app via a telegram bot. Everything I send to the bot will be sent to my app :) I have a simple UI where I can view all the data.

            1. 2
              1. If you try to encrypt a message longer than 256 bytes with a 2048-bit RSA public key, it will fail. (Bytes matter here, not characters, even for English speakers–because emoji.)
              2. This design completely lacks forward secrecy. This is the same reason that PGP encryption sucks.

              Could these tradeoffs be worth it if it means the system is really simple and easy to understand?

              1. 12

                The first one, no. Breaking on large messages is a serious usability pain-point, and doing a hybrid public key encryption is 100% worth the additional complexity.

                The second one, YES! If you make the threat model clear, then eliminating forward secrecy greatly simplifies your protocol. (Implementing X3DH requires an online server to hand out “one-time pre-keys” to be totally safe.) At worst, you’re as bad off as PGP encryption (except, if you follow the advice in my blog, you’re probably going to end up using an authenticated encryption construction rather than CAST5-YOLO).

                1. 1

                  The first one, no. Breaking on large messages is a serious usability pain-point, and doing a hybrid public key encryption is 100% worth the additional complexity.

                  Isn’t it something people are quite used to though? Both SMS and tweets have a character limit.

                  But let’s say we do want to go with the simplest secure model, without forward secrecy but no character limit. So hybrid encryption but not X3DH. What library functions would the smart developer use?

                  1. 5

                    If they’re using libsodium? crypto_box_seal() and crypto_box_seal_open(). Problem solved for them.

                    If they’re using OpenSSL (or one of the native wrappers), something like this:

                    type SealedMessage = {cipher: Buffer, tag: Buffer, wrappedKey: buffer};
                    const DOMAIN_SEPARATION_AES = Buffer.from('AES-256-CTR');
                    const DOMAIN_SEPARATION_HMAC = Buffer.from('HMAC-SHA256');
                    
                    function hmacSha256(msg: string|Buffer, key: Buffer): Buffer {
                        const hmac = crypto.createHmac('sha256', key);
                        hmac.update(msg);
                        return hmac.digest();
                    }
                    
                    function seal(msg: string|Buffer, recipientPublicKey: Buffer): SealedMessage {
                        // Generate and wrap the primary key 
                        // (which is split into two keys: one for AES, one for HMAC)
                        const key = crypto.randomBytes(32);
                        const aesKey = hmacSha256(Buffer.concat([key, DOMAIN_SEPARATION_AES]), key);
                        const macKey = hmacSha256(Buffer.concat([key, DOMAIN_SEPARATION_HMAC]), key);
                        const rsaCiphertext = crypto.publicEncrypt(
                            {
                                key: recipientPublicKey,
                                padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
                                oaepHash: "sha256",
                            },
                            key
                        );
                        
                        // Encrypt the data
                        const nonce = crypto.randomBytes(16);
                        const aes = crypto.createCipheriv('aes-256-ctr', aesKey, nonce);
                        const ciphertext = Buffer.concat([
                            nonce, 
                            aes.update(Buffer.from(string)), 
                            aes.finish()
                        ]);
                        
                        // Authenticate the data
                        const tag = hmacSha256(ciphertext, macKey);
                        
                        return {
                            cipher: ciphertext,
                            tag: tag,
                            wrappedKey: rsaCiphertext
                        };
                    }
                    
                    function unseal(sealed: SealedMessage, secretKey: Buffer): Buffer {
                        const key = crypto.privateDecrypt(
                            {
                                key: secretKey,
                                padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
                                oaepHash: "sha256"
                            },
                            sealed.wrappedKey
                        );
                        const aesKey = hmacSha256(Buffer.concat([key, DOMAIN_SEPARATION_AES]), key);
                        const macKey = hmacSha256(Buffer.concat([key, DOMAIN_SEPARATION_HMAC]), key);
                        const nonce = sealed.cipher.slice(0, 16); // AES-CTR nonce size
                        const ciphertext = sealed.cipher.slice(16);
                        if (!crypto.timingSafeEqual(sealed.tag, hmacSha256(ciphertext, macKey)) {
                            throw new Error("Integrity check failed");
                        }
                        const aes = crypto.createDecipheriv('aes-256-ctr', aesKey, nonce);
                        return Buffer.concat([aes.update(ciphertext), aes.final()]);
                    }
                    

                    (This is why “just use libsodium” is so much better.)

                    1. 1

                      Please consider using Pastebin for code; Lobsters renders code in a larger-appearing font than text in its comment section and doesn’t seem to fold it away properly, creating a wall of text that makes it harder to scroll through comments.

                      1. 1

                        I somewhat agree, but I don’t think that there’s a good pastebin which is free to Lobsters without signup and also allows posts to persist. (The Reputation Problem disincentivizes such a service; it would be open to abuse.) It would be cool if Lobsters had the ability to click to expand/hide long code snippets.

                        1. 1

                          Definitely the best solution would be for Lobsters to fix code rendering in comments.

                          1. 4

                            We have an issue tracking this if anyone wants to pick up the work

                        2. 1

                          For what it’s worth, that comment looks ok to me (Chrome on Windows).

                  2. 2

                    If you are okay with giving up on security (e.g. for educational purposes) then it could be worth it.

                    In practice absolutely not.

                    1. 1

                      Giving up on security is too vague, sorry. Can eve read my messages? No? Then I think I’m pretty safe.

                      1. 2

                        Maybe bfiedler refers to the second point, meaning if Eve compromises Alice’s private key, then Eve can read past, present and future messages. My personal opinion is that this should be default for any secure messaging system.

                  1. 1

                    I use the python static site generator pelican and a search plugin. My content is written in markdown, works wonders.

                    1. 8

                      Getting mentally ready for work on Monday after 5 weeks of vacation…

                      1. 11

                        A CRM for personal relationships

                        1. 2

                          I have read about https://www.monicahq.com/ as an example. Never tried it. Have you tried it?

                          Personally I find the concept a bit … autistic/creepy, but still have considered it as possibly useful tool.

                          1. 9

                            Personally I find the concept a bit … autisti

                            Well, yeah, that’s me. Thanks for the link.

                            1. 5

                              If you think it might be useful, but found a dedicated CRM app a bit much, have you tried using the notes field in your phone’s address book? I use it to jot down names of kids & spouses and things like “vegan”, “teetotal”, “pronounced […]” etc. They’re synced everywhere automatically and they’re searchable in a hurry from your phone.

                              1. 4

                                I think it may seem creepy because of associations with corporations and marketing.

                                However, when I actually think about it… Would my life be richer and better if I was more consistent about staying in touch with people? Almost certainly!

                                1. 1

                                  I tried this but had difficulty getting the self hosted version to work. As far as creepy, I think of it as just a memory extension. It isn’t anything someone with a good memory couldn’t do, just helps mortals to remember birthdays, peoples’ interests, etc.

                                2. 1

                                  …the more I think about this the more I want it

                                  1. 1

                                    I found this one a while ago: https://www.monicahq.com/ (not affiliated)

                                    It needs a lot more automation to become useful IMO.

                                    1. 1

                                      Thanks

                                    2. 1

                                      Why do you need this, if I my ask?

                                      1. 1

                                        Help me follow up with my friends and family

                                    1. 2

                                      tmux is the one for me. It really changed the game for me. Multiplexing terminals has been so crucial in delineating my work. I wear a few different hats at work so its nice to just switch between terminals with ease.

                                      1. 2

                                        I find mosh coupled with tmux is invaluable.

                                        1. 1

                                          I’ve never given mosh a proper look but reading about it now, this seems extremely valuable.

                                        2. 1

                                          How do deal with scrolling and copy+paste?

                                          1. 1

                                            You can create bindings for tmux that allow you to do vim-style copy and paste.

                                            Scrolling is built into tmux, ctrl + [ and then just page up / page down.

                                            1. 1

                                              Tmux has bindings for that. Iirc the default backscroll thingie is ctrl+[

                                              1. 1

                                                I set my terminal emu’s scroll back to 0 and have bindings for the scroll wheel events. Setting console scrollback to 0 is important cause otherwise the terminal will try to scroll too.

                                            1. 2

                                              What I like most with Keybase is the encrypted git repos. Easy to setup and easy to start working with your team. If something like this exists that doesn’t require too much server administration, maybe I would switch.

                                              1. 1

                                                Others have expressed similar concern, though I’m not sure that a solution exists.

                                              1. 5

                                                I run docker in dev and prod and it works great. The Dockerfile and docker-compose.yml is shiped with the source code but if you don’t want to use docker, then simply don’t. I even ship a Vagrantfile if you want to use that.

                                                The arguments against using docker seem to boil down to the fact that the author did not understand docker before using it and believes other developers wont understand docker either.

                                                I spent the better part of a day banging my head against some simple database connnectivity issues, only to realize my database container wasn’t configured properly

                                                This is hardly Docker’s fault, no?

                                                In a word, no. Even with the simplicity of running docker-compose up -d to set up an application stack, it doesn’t work well with the mental model that a vast majority of developers have for running their environment locally.

                                                This can’t be true. What evidence do you have to back this up?

                                                1. 1

                                                  Visit family, maybe restructure my docket project if I get an hour or two :)

                                                  1. 1

                                                    Visit family, maybe restructure my docket project if I get an hour or two :)

                                                    1. 0

                                                      I would probably chose Go over Python (what I usually code in) because of:

                                                      • Single binary
                                                      • Easy cross compile
                                                      • Static Type System
                                                      • Easier to build concurrent code
                                                      • Pleasant to write in
                                                      1. 1

                                                        Company: KITS

                                                        Company site: https://kits.se

                                                        Position(s): Developers and Security people

                                                        Location: Gothenburg, Sweden (ONSITE)

                                                        Description: KITS (Keep it Simple) is a consulting company based in Gothenburg. We are great at architecture, mentoring, competence development, programming and project management. We develop systems and solutions in Java, Typescript, React, .NET and AWS. In addition to keeping it simple, we also want to keep it secure. The security team at KITS performs penetration testing for our customers in order to keep their products and company safe. Sounds interesting? Ping us at https://jobb.kits.se/ or https://keybase.io/dubellsec.

                                                        Tech stack: Java, Typescript, React, .NET and AWS

                                                        Contact: https://jobb.kits.se/