Question for crypto (as in cryptographic) nerds, I am looking for an automated solution for on-prem backups that encrypts said backup. The plan is to take said encrypted backup and store it off sight. Prefer open source, and for further context consider this "home lab" although it does involve multiple servers with public IPs etc. I do not want to have the encryption key easily reachable like in plaintext in a config file.
Right now this is all happening manually, but automated would make this so much easier. It does not have to be a full end-to-end solution, even just the encrypting part being able to be automated would be fine as I could simply script around it. Thoughts and recommendations?
Isn't RSA the current secure solution for the corresponding encryption/security on the browser with JavaScript?
»Galois/Counter Mode and random nonces:
It turns out you can encrypt more than 2^32 messages with AES-GCM with a random nonce under certain conditions. It’s still not a good idea, but you can just about do it.«
This is part of a wry joke at the expense of LISPers and lambda calculators:
"... the heretic is chained in the dungeon where he is forced to learn Common Lisp on a Commodore 64 and interact with rapacious Lemmy-ings and Mastodonians."
Early on in my hobby I came to the realization that cryptographic prowess has no viable market price point. More's the pity. Yet I think one day I may change that with my secrecy sauce.
PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
Structural security trumps computational security ... or ...
Diffuse structural security trumps amalgamated computational security ...
All your big, strong passkeys in one basket is less secure than your passwords in many individual baskets ...
Trying to explain this to tech bros can resemble pushing a wagon uphill ...
Because they want to sell something, logic is not paramount.
"A password in my brain is generally safer than an app or SMS stream that can be compromised. Although a passphrase may in some cases not be computationally more secure than a token mechanism or two-factor sytem, the simple passphrase is often structurally more secure because that passphrase only links to and exposes one service target."
"I like to compare it to having one basket of eggs in one spot, and many baskets of eggs in many places. If your one basket of eggs has the master key to all the other stronger keys, is it easier to get the one basket, or the many baskets with weaker keys? So in this scenario cipher strength is not the most important factor for security. With a single basket one fox or pick-pocket or one search warrant can own all of your eggs for all your services."
The tech, simply put, works like this: When you create an account for a website or app, your device generates a cryptographic public-private key pair. The site or app backend gets a copy of the public key, and your device keeps hold of the private key; that private key stays private to your gear. When you come to login, your device and the backend authentication system interact using their digital keys to prove you are who you say you are, and you get to login. If you don't have the private key or can't prove you have it, you can't login.
Everything you need to know about so-called 'Swiss Privacy' we learned decades ago from Operation Thesaurus, AKA, Operation Rubicon. We learned that CIA operations and black budget banking are actually headquartered in the Swiss underground.
If you trust any third-party server to protect your privacy, you're a rube. If you trust Proton Mail to protect your privacy, you're a rube getting 'crossed' by the Swiss Rubi-con. Either you own your keys and your data on your computer or else you have no privacy. Someone else's promise that your data will be 'encrypted' so they can't decipher it is a hollow pledge. If you send any form of plaintext to a remote server, no matter how much they claim to encrypt it, you have zero assurance of data privacy.
Listening to a #podcast about #cryptography in #golang, and it’s quite interesting. One bonus is that one of the guests has the most Italian accent I’ve ever heard, which makes it fun to listen to him speak.
Join us for welcoming returning presenter Sergi Rovira, with Axel Mertens, from Universitat Pompeu Fabra (UPF) and @CosicBe respectively, presenting Convolution-friendly Image Compression in FHE, Apr 25th, 2024 @ 4PM CEST.
Looking for conferences on #Cryptography and #Security. #AfricaCrypt is in #Cameroon this year, a country that imprisons peolpe for suspicions of being gay. In 2021 to trans women were sent to prison for “wearing women’s clothing in a restaurant”.
In other words, we are talking about a complete shit-hole country and a non-negligible part of the cryptographic community cannot safely visit the conference because of that.
A conference that proudly associates itself with the #IACR. I think we should have a serious discussion about whether it is appropriate to place conferences in places that will imprison people for who they are and whether the IACR should associate with conferences that ignore these concerns.
For all the problems that conferences in the west have with accessibility (and that you may rightfully criticize), you can usually at least be confident that the government there won’t subject you to torture for who you are.
if you want to help people access the full, uncensored internet via Tor, and you're a fedi admin, here's a way you can help. you may know about Tor Bridges and how they're used by people behind repressive governments that censor the internet to safely access the net. countries like China or Russia block the public list of Tor relays, for example.
WebTunnel is a Bridge method that uses a reverse proxy that you configure using your existing nginx (etc) web server that points to your server's local tor daemon. so your fedi instance can be a bridge to the Tor network for people who cannot connect to Tor normally. disobey.net is hosting one ^^
one thing to note is that it's important to disable nginx (etc) web server logs, since the people who use bridges are connecting to you as their first, trusted hop onto the tor network. something to keep in mind to maximize privacy and reduce your own liability.
Swiss authorities intervene, Proton Mail not blocked in India (www.moneycontrol.com)