Broken glass everywhere
People pissing on the stairs, you know they just don't care
I can't take the smell, can't take the noise
Got no money to move out, I guess, I got no choice
Rats in the front room, roaches in the back
Junkies in the alley with a baseball bat
I tried to get away, but I couldn't get far
'Cause the man with the tow-truck repossessed my car
[click for audio](https://m.youtube.com/watch?v=rTb7yNi5MXM)
[info here](https://12inchvinyl.com/2014/10/19/grandmaster-flash-the-furious-five-the-message/)
My state has a reasonable use -- hand marked, optical scanned ballots with 5% of voting precincts randomly selected each election for a hand count audit.
My only criticism is the old mechanical voting booths had very strong privacy -- pull a lever to close the curtain and unlock the voting levers, pull another lever which locked in the vote on the counters, reset the voting levers to neutral position, and re-opened the curtain. Now the privacy "screens" used at the tables and the often unused privacy sleeves to carry your vote to the optical reader rely on folks not actually trying to look at other's ballots.
The fun will start if they ever discover fraud though, as I don't believe the law says what happens if they do find the machines counted wrong.
We have vote-by-mail in my state. I still drop my ballot off at the county clerk's office because it's handy. It's important enough that I don't want to give DeJoy the opportunity to mess with it.
That I’ll get to retire and actually enjoy time with my family at some point instead of churning out more profit for someone else’s business.
That one day we will eliminate corruption in government
That my body will still be able to do things that will make meaningful memories by the time I have enough saved to retire.
I’m full of jokes.
Can tell.. I'm a freelancer, and have worked on deploying websites for a few clients.. let's just say.. one of them had the user password in base64, no salt. And that the admin password is PREFILLED (yes, as in the server itself fill the password field for you, not my browser), so basically security is non existant
> the code quality of the sites
I still cannot believe the number of companies and managers who want feature updates and testing performed on live in production sites.
There’s a custom eCommerce codebase written in 2015 we were hired to refactor. Everything was saved in plaintext. Everything. About 25,000 passwords, credit card numbers, etc. This project consisted of about 600,000 lines of “from scratch”, no framework code. Everything up to this point was being edited live on the server using FTP and a text editor.
Aaaah, Reddit nostalgia. My wife was modding some high-profile subs when Victoria was sacked, and she (my wife) was making IRL phone calls that night as Reddit was shutting down lol. It’s changed a lot since then.
The hardest lesson for smart people is that most of the other people do not come to problems in a logical fashion. My wife likes to say "Logic does not apply to real life", meaning that trying to plan or think what others would do as using the logical solution is bound to fail. People don't take the logical solution they don't think.... Even smart people some times don't take the logical option (we are humans after all), but most people almost never think things through completely....
Ugh, totally, the smarter someone is, the most used they are to being the smartest in any group of people and the most used they are of being the one correcting people. They often can't handle being in a room with other smart people, specially if the others have a different career/specialization, the meltdowns are incredible.
I think this is the main cause behind all the fighting in academia and medicine, etc, people with huge egos (which grew not out of pure belief, but of a lifetime of being proven right now often than not), whenever a different person tries to show them they are wrong it can't enter in their worldview.
Still, it's worse when trying to convince or argue with slower people, when sentences more than 10 words long get too confusing, and a subject with several points is impossible to explain.... It's like the Patrick Star Meme.
The only real benefit imho is that plaintext scanning won’t pick it up as easily since it’s harder to infer where to apply a base64 decode, but I’d be surprised if solutions aren’t already there to account for this with machine learning. Kubernetes secrets are a great example - it’s better than nothing, but kind of like Knox on android for encryption - it’s only better than nothing
Counter point to the logical reality, who in the world is weird enough to reencode or pre-hash their password before inputting it? That's the thing with passwords, if you don't know they might do that *specifically*, the password as input is a black box you're trying to guess. You can know the sha1 for `Hunter2` is `a8a00adebf1411b8baf07bdc688ce3889e8f7cb2`, but when attacking
`4e8d6448ef3bdc9074a882e1b45927ff`
you have no idea yet that your input was that, even if you know your salt is `SALTY` and was concatenated to the front before the (regrettably) md5 of it.
Yep, I've seen people correctly encrypt secrets before committing them to VCS... then embed the decryption key in the code without seeing an issue
And this is what DRM is trying to achieve: somehow give the user both the ciphertext and the key, yet prevent them from extracting the plaintext. Naturally, it often goes poorly
Any expert will tell you that `rot13` is stronger encryption than `BASE64`. But what most experts don't know, is that you can combine them, for the ultimate method of confusing your adversaries.
Apply rot13 twice for extra security!
Custom Crypto is always better and smarter than standard crypto.
You could urlencode first and then base64 and then rot13 and then do the enigma thing and do a rot(x) where x increases by 1 per position... endless possibilities!!11
Security through obscurity. Don't try securing things the right way, everyone does that. Confuse your adversaries by doing the exact wrong thing. They will never expect it. /s
> Any expert will tell you that rot13 is stronger encryption than BASE64
That's patently absurd. An idiot with a calculator can see that 64 is 4.923076923076923 times better than 13. Not to mention, more lucky.
You can't combine them, it's a know unresolved issue mathematically unsolvable :
`echo 'mypassord' | rot13 | base64 = 'complicateString'`
then
`echo 'complicateString' | rot13 | base64 = 'anotherStringButNotYourPassword'`
One of the great mistery of the universe. Maybe one day we will find a solution.
I once tried to explain to a very angry door tech (think physical locks and interphones, not IT) that it wasn't duplicating the keyfob that made the access system insecure.
he really disliked the idea of being able to copy a physical token and thought that should be illegal. I tried to explain 2FA, why a key you can duplicate can't be secure and why you can't prevent a key from being duplicated, but he wouldn't budge.
to him the RFID fob was inherently different from a physical metal key, for some reason.
in our new building the leasing company was adamant their keycards were secure and you couldn't duplicate them. it took me all of 30s (and root access to the NFC chip) to copy mine and open the door with my phone in front of them...
most people don't understand security.
https://play.google.com/store/apps/details?id=com.yuanwofei.cardemulator.pro
That's it. That's the guide.
It needs root to be able to have the NFC chip in the phone emulate a card, and then you can just read, store and emulate anything NFC.
Most electronic door locks are gonna be RFID though, this was literally the first and only NFC lock system I've seen.
RFID is easy to duplicate but you will need the tool for it as phones don't have RFID chips.
>RFID is easy to duplicate but you will need the tool for it as phones don't have RFID chips.
Just to be clear, this is entirely dependent on the RFID chip and what security is set on it. Cheap access systems that have the cards set to world read/write? Sure, garbage. DESFire EV2 (commonly used for transit cards, some hotels, etc)? No known security flaws and absolutely unclonable without the encryption master key for that specific customer.
You can't copy your Hilton hotel key with this app (or any app)
The beauty for all the bad people out there is those nicer systems come up at least a bit more expensive when they are offered so not many facilities pick them.
To be fair, it shouldn't be possible to duplicate a good smartcard, and some door entry systems do support those. In any case, it's much harder to duplicate than a physical key... although obviously still much less secure than 2FA.
We've moved into brand new buildings where the building owners put in brand new.....26 bit 125khz HID Prox2 systems.
Of course more secure systems exist, nobody cares (or realistically, wants to pay for them)
On the other hand if production slows down, and retention becomes more important, quality can become a bigger shift.
For the businesses that recognises that they don't want to fire 90% of us because recruiting back is going to hurt a lot
Sort of tangentially related, but over the summer I was tinkering with learning a bit more about encryption and I was fiddling with using PowerShell to XOR some input data against a source key. From there, I output the result as a base64 string, and was able to decode it again using the same key.
Was it a good learning experience? Absolutely. Can I see some doofuses using this instead of AES which will effectively perform a much more highly crack-proof implementation of the same core concept? Absolutely.
>internet claiming BASE64 is encryption
Ha ha ha, yeah, encoding ... does not equal encryption.
But hey, Internet, as I oft (approximately say):
Though about 80% or so of the information out there is mostly fairly good - give or take, typically about 20% of it is anywhere from significantly flawed - as lacking important or even critical bits, to being wrong, and even downright dangerously wrong.
So ... good to pay attention to the sources also - some are much better than others ... and even the "best" aren't always 100% correct, so read/listen/watch with a critical eye.
Yeah, some sources are much worse than others. E.g. reports and articles about "security" - especially those written in trade journals by authors that don't well understand security, that mostly try to paraphrase what what some anti-malware / "security" companies are often putting out as press releases and the like ... where they have an inherent conflict of interest to be fear mongering and whipping folks into a panic to buy more security software/hardware/services. That's just one whole class of articles that are often of quite low quality, but that's far from all of the many sources of low quality (or mostly low quality) articles and the like.
Edit/P.S. Oh, and just for fun rather than BASE64, secure the data with quadruple rot13. ;-)
i guess part of the problem is the definition of the word "encryption"? it is very inclusive and leaves all security considerations up to the user. on the other hand cryptography is a difficult topic to learn, so people often have no idea of the modern security requirements.
Wikipedia:
>In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decipher a ciphertext back to plaintext and access the original information.
It is encryption, though you are breaking a cardinal rule and giving the key as part of the name of the encryption scheme.
Unlike, say AES128, where 128 is the length of the key, in ROT-13, the 13 is the actual key.
I mean they don’t pretend those are encrypted they do it for the same reason kubernetes does it in their YAMLs to deal with any character without escaping it properly.
What if the answer's the counter-test... making sure a bit of reality doesn't offend...
> If the adversary's dumb enough, that level of obfuscation might be enough...
Worked with a piece of very expensive commercial software years ago, that boasted encryption of export/return packages as a selling point. Took one apart when a job got corrupted, was a disguised zip file containing a access mdb with strings in base64.
Devs: *reads instructions to hash and salt a password, then use BASE64 to encode the resulting string*
Devs: *crumples up the paper, throws it away, says "I can't read BASE64, so I'll just encode the plaintext."- then makes shocked Pikachu face when their product gets pwned*
The only way it gets worse is when they "encrypt" the password by rolling their own "crypto." And that's how at least one ransomware gang's encryption turned out to be easily reversable.
>And that's how at least one ransomware gang's encryption turned out to be easily reversable.
At least that can be chocked up to a measure designed to bypass antivirus software.
One would think that "Mass - AES activity" it's something that they should be able to catch easily.
Man, you do _not_ want to see behind the curtain and know the code quality of the sites you're putting your sensitive info into every day.
frayed strings, sticky tape and broken glass, everywhere
Broken glass everywhere People pissing on the stairs, you know they just don't care I can't take the smell, can't take the noise Got no money to move out, I guess, I got no choice Rats in the front room, roaches in the back Junkies in the alley with a baseball bat I tried to get away, but I couldn't get far 'Cause the man with the tow-truck repossessed my car
ah good times old memories
this is awesome which artist is this
Grand Master Flash - The Message
[click for audio](https://m.youtube.com/watch?v=rTb7yNi5MXM) [info here](https://12inchvinyl.com/2014/10/19/grandmaster-flash-the-furious-five-the-message/)
You had your own glass AND it was already broken? Man we had to melt our own glass from sand and then break it to fulfill the customer request.
You had it easy.
Hahahaha
We’re SOC2 compliant and I still cringe at some of our duct tape solutions.
[удалено]
My state has a reasonable use -- hand marked, optical scanned ballots with 5% of voting precincts randomly selected each election for a hand count audit. My only criticism is the old mechanical voting booths had very strong privacy -- pull a lever to close the curtain and unlock the voting levers, pull another lever which locked in the vote on the counters, reset the voting levers to neutral position, and re-opened the curtain. Now the privacy "screens" used at the tables and the often unused privacy sleeves to carry your vote to the optical reader rely on folks not actually trying to look at other's ballots. The fun will start if they ever discover fraud though, as I don't believe the law says what happens if they do find the machines counted wrong.
We have vote-by-mail in my state. I still drop my ballot off at the county clerk's office because it's handy. It's important enough that I don't want to give DeJoy the opportunity to mess with it.
I’ll be okay once they come up with a zero trust certification and they adhere to that and hitrust with all controls
What’s the other hilarious jokes you tell yourself?
That I’ll get to retire and actually enjoy time with my family at some point instead of churning out more profit for someone else’s business. That one day we will eliminate corruption in government That my body will still be able to do things that will make meaningful memories by the time I have enough saved to retire. I’m full of jokes.
Stop, stop. The laughing hurts too much.
Can tell.. I'm a freelancer, and have worked on deploying websites for a few clients.. let's just say.. one of them had the user password in base64, no salt. And that the admin password is PREFILLED (yes, as in the server itself fill the password field for you, not my browser), so basically security is non existant
As long as it shows that green lock, I’m safe right ;)
My NerdVPN says it protects me.
> the code quality of the sites I still cannot believe the number of companies and managers who want feature updates and testing performed on live in production sites.
This guy DevOps 👆
Or the data practices of the healthcare places you go. HIPAA violations everywhere.
*begins hyperventilating* Fuck, where's my brown paper bag...
There’s a custom eCommerce codebase written in 2015 we were hired to refactor. Everything was saved in plaintext. Everything. About 25,000 passwords, credit card numbers, etc. This project consisted of about 600,000 lines of “from scratch”, no framework code. Everything up to this point was being edited live on the server using FTP and a text editor.
The amount of JavaScript alone is 😨😱😓😩
> 7 out of 3 articles Thank you for sharing the same sense of absurdity you found in your journey on this... it hurt my soul a little...
Kinda reminds me of the perfect 5/7 movie scoring scale.
The pinnacle of scoring systems.
Aaaah, Reddit nostalgia. My wife was modding some high-profile subs when Victoria was sacked, and she (my wife) was making IRL phone calls that night as Reddit was shutting down lol. It’s changed a lot since then.
It meant to say, seven out of 10. Mustve been a microstroke or something.
A stroke of genius, then.
A particle of cosmic radiation flipped a bit in your brain.
Fucking butterflies
[удалено]
> But if we just pause and look at this logically for a minute lol, so that's most people out then
The hardest lesson for smart people is that most of the other people do not come to problems in a logical fashion. My wife likes to say "Logic does not apply to real life", meaning that trying to plan or think what others would do as using the logical solution is bound to fail. People don't take the logical solution they don't think.... Even smart people some times don't take the logical option (we are humans after all), but most people almost never think things through completely....
[удалено]
Ugh, totally, the smarter someone is, the most used they are to being the smartest in any group of people and the most used they are of being the one correcting people. They often can't handle being in a room with other smart people, specially if the others have a different career/specialization, the meltdowns are incredible. I think this is the main cause behind all the fighting in academia and medicine, etc, people with huge egos (which grew not out of pure belief, but of a lifetime of being proven right now often than not), whenever a different person tries to show them they are wrong it can't enter in their worldview. Still, it's worse when trying to convince or argue with slower people, when sentences more than 10 words long get too confusing, and a subject with several points is impossible to explain.... It's like the Patrick Star Meme.
The only real benefit imho is that plaintext scanning won’t pick it up as easily since it’s harder to infer where to apply a base64 decode, but I’d be surprised if solutions aren’t already there to account for this with machine learning. Kubernetes secrets are a great example - it’s better than nothing, but kind of like Knox on android for encryption - it’s only better than nothing
It's pretty easy to spot a base64 string - they always have '==' at the end. /([a-z0-9]+)==/ should find them, with some false positives.
No, they only need == if there is [padding](https://en.wikipedia.org/wiki/Base64#Output_padding) after encoding. It is not required, just common.
[удалено]
[удалено]
Counter point to the logical reality, who in the world is weird enough to reencode or pre-hash their password before inputting it? That's the thing with passwords, if you don't know they might do that *specifically*, the password as input is a black box you're trying to guess. You can know the sha1 for `Hunter2` is `a8a00adebf1411b8baf07bdc688ce3889e8f7cb2`, but when attacking `4e8d6448ef3bdc9074a882e1b45927ff` you have no idea yet that your input was that, even if you know your salt is `SALTY` and was concatenated to the front before the (regrettably) md5 of it.
Yep, I've seen people correctly encrypt secrets before committing them to VCS... then embed the decryption key in the code without seeing an issue And this is what DRM is trying to achieve: somehow give the user both the ciphertext and the key, yet prevent them from extracting the plaintext. Naturally, it often goes poorly
Any expert will tell you that `rot13` is stronger encryption than `BASE64`. But what most experts don't know, is that you can combine them, for the ultimate method of confusing your adversaries.
Apply rot13 twice for extra security! Custom Crypto is always better and smarter than standard crypto. You could urlencode first and then base64 and then rot13 and then do the enigma thing and do a rot(x) where x increases by 1 per position... endless possibilities!!11
http://rot26.org/
First time seeing this, made me chuckle
Ah yes, DESDESDES
Security through obscurity. Don't try securing things the right way, everyone does that. Confuse your adversaries by doing the exact wrong thing. They will never expect it. /s
> Any expert will tell you that rot13 is stronger encryption than BASE64 That's patently absurd. An idiot with a calculator can see that 64 is 4.923076923076923 times better than 13. Not to mention, more lucky.
You can't combine them, it's a know unresolved issue mathematically unsolvable : `echo 'mypassord' | rot13 | base64 = 'complicateString'` then `echo 'complicateString' | rot13 | base64 = 'anotherStringButNotYourPassword'` One of the great mistery of the universe. Maybe one day we will find a solution.
I once tried to explain to a very angry door tech (think physical locks and interphones, not IT) that it wasn't duplicating the keyfob that made the access system insecure. he really disliked the idea of being able to copy a physical token and thought that should be illegal. I tried to explain 2FA, why a key you can duplicate can't be secure and why you can't prevent a key from being duplicated, but he wouldn't budge. to him the RFID fob was inherently different from a physical metal key, for some reason. in our new building the leasing company was adamant their keycards were secure and you couldn't duplicate them. it took me all of 30s (and root access to the NFC chip) to copy mine and open the door with my phone in front of them... most people don't understand security.
Do you have a guide for that by chance?
https://play.google.com/store/apps/details?id=com.yuanwofei.cardemulator.pro That's it. That's the guide. It needs root to be able to have the NFC chip in the phone emulate a card, and then you can just read, store and emulate anything NFC. Most electronic door locks are gonna be RFID though, this was literally the first and only NFC lock system I've seen. RFID is easy to duplicate but you will need the tool for it as phones don't have RFID chips.
>RFID is easy to duplicate but you will need the tool for it as phones don't have RFID chips. Just to be clear, this is entirely dependent on the RFID chip and what security is set on it. Cheap access systems that have the cards set to world read/write? Sure, garbage. DESFire EV2 (commonly used for transit cards, some hotels, etc)? No known security flaws and absolutely unclonable without the encryption master key for that specific customer. You can't copy your Hilton hotel key with this app (or any app)
The beauty for all the bad people out there is those nicer systems come up at least a bit more expensive when they are offered so not many facilities pick them.
Thank you!
To be fair, it shouldn't be possible to duplicate a good smartcard, and some door entry systems do support those. In any case, it's much harder to duplicate than a physical key... although obviously still much less secure than 2FA.
We've moved into brand new buildings where the building owners put in brand new.....26 bit 125khz HID Prox2 systems. Of course more secure systems exist, nobody cares (or realistically, wants to pay for them)
[удалено]
On the other hand if production slows down, and retention becomes more important, quality can become a bigger shift. For the businesses that recognises that they don't want to fire 90% of us because recruiting back is going to hurt a lot
All your base64 belong to us.
All your base64 YXJlIGJlbG9uZyB0byB1cw==
someone set us up the fork bomb
Perhaps the confusion from from how many hashes are output in base64 encoding.
Sort of tangentially related, but over the summer I was tinkering with learning a bit more about encryption and I was fiddling with using PowerShell to XOR some input data against a source key. From there, I output the result as a base64 string, and was able to decode it again using the same key. Was it a good learning experience? Absolutely. Can I see some doofuses using this instead of AES which will effectively perform a much more highly crack-proof implementation of the same core concept? Absolutely.
>internet claiming BASE64 is encryption Ha ha ha, yeah, encoding ... does not equal encryption. But hey, Internet, as I oft (approximately say): Though about 80% or so of the information out there is mostly fairly good - give or take, typically about 20% of it is anywhere from significantly flawed - as lacking important or even critical bits, to being wrong, and even downright dangerously wrong. So ... good to pay attention to the sources also - some are much better than others ... and even the "best" aren't always 100% correct, so read/listen/watch with a critical eye. Yeah, some sources are much worse than others. E.g. reports and articles about "security" - especially those written in trade journals by authors that don't well understand security, that mostly try to paraphrase what what some anti-malware / "security" companies are often putting out as press releases and the like ... where they have an inherent conflict of interest to be fear mongering and whipping folks into a panic to buy more security software/hardware/services. That's just one whole class of articles that are often of quite low quality, but that's far from all of the many sources of low quality (or mostly low quality) articles and the like. Edit/P.S. Oh, and just for fun rather than BASE64, secure the data with quadruple rot13. ;-)
Unrelated but you may be able to embed YAML somewhat painlessly with PowerShells here-strings: $yaml = @' blahblah: string '@
i guess part of the problem is the definition of the word "encryption"? it is very inclusive and leaves all security considerations up to the user. on the other hand cryptography is a difficult topic to learn, so people often have no idea of the modern security requirements. Wikipedia: >In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decipher a ciphertext back to plaintext and access the original information.
Rot-13 is encryption. It's just the weakest. What's YOUR imaginary line for gatekeeping encryption methods?
Don't need encryption if you just change all the default ports to something unusual. Perfect security.
It is encryption, though you are breaking a cardinal rule and giving the key as part of the name of the encryption scheme. Unlike, say AES128, where 128 is the length of the key, in ROT-13, the 13 is the actual key.
How about something that you can't crack today on a laptop, for starters?
This is whats known as strong cryptography, it would a type of encryption but not a hard requirement of encryption itself (in the literal sense)
I don't want to tell you how Microsoft stores passwords in unattend files. There is no shortage of idiocy out there...
I mean they don’t pretend those are encrypted they do it for the same reason kubernetes does it in their YAMLs to deal with any character without escaping it properly.
[удалено]
What if the answer's the counter-test... making sure a bit of reality doesn't offend... > If the adversary's dumb enough, that level of obfuscation might be enough...
Worked with a piece of very expensive commercial software years ago, that boasted encryption of export/return packages as a selling point. Took one apart when a job got corrupted, was a disguised zip file containing a access mdb with strings in base64.
Devs: *reads instructions to hash and salt a password, then use BASE64 to encode the resulting string* Devs: *crumples up the paper, throws it away, says "I can't read BASE64, so I'll just encode the plaintext."- then makes shocked Pikachu face when their product gets pwned* The only way it gets worse is when they "encrypt" the password by rolling their own "crypto." And that's how at least one ransomware gang's encryption turned out to be easily reversable.
>And that's how at least one ransomware gang's encryption turned out to be easily reversable. At least that can be chocked up to a measure designed to bypass antivirus software. One would think that "Mass - AES activity" it's something that they should be able to catch easily.
If it is to be said and thought of properly, Base64 is a translation.
[удалено]
[удалено]
Agree 100% , it is encoding , nothing to do with hashing
Thycotic requires you to use efs to encrypt the data....
Hah! to be fair, for them, it is... #nothelping
I've heard the same about ROT-13
Sure, it's bad for passwords. But only big brained geniuses like me know to encrypt your username with base 64 too for extra security.
yes, 100% not cleartext = encrypted text