Everything you need to know about so-called 'Swiss Privacy' we learned decades ago from Operation Thesaurus, AKA, Operation Rubicon. We learned that CIA operations and black budget banking are actually headquartered in the Swiss underground.
If you trust any third-party server to protect your privacy, you're a rube. If you trust Proton Mail to protect your privacy, you're a rube getting 'crossed' by the Swiss Rubi-con. Either you own your keys and your data on your computer or else you have no privacy. Someone else's promise that your data will be 'encrypted' so they can't decipher it is a hollow pledge. If you send any form of plaintext to a remote server, no matter how much they claim to encrypt it, you have zero assurance of data privacy.
PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
Structural security trumps computational security ... or ...
Diffuse structural security trumps amalgamated computational security ...
All your big, strong passkeys in one basket is less secure than your passwords in many individual baskets ...
Trying to explain this to tech bros can resemble pushing a wagon uphill ...
Because they want to sell something, logic is not paramount.
"A password in my brain is generally safer than an app or SMS stream that can be compromised. Although a passphrase may in some cases not be computationally more secure than a token mechanism or two-factor sytem, the simple passphrase is often structurally more secure because that passphrase only links to and exposes one service target."
"I like to compare it to having one basket of eggs in one spot, and many baskets of eggs in many places. If your one basket of eggs has the master key to all the other stronger keys, is it easier to get the one basket, or the many baskets with weaker keys? So in this scenario cipher strength is not the most important factor for security. With a single basket one fox or pick-pocket or one search warrant can own all of your eggs for all your services."
Hi #infosec folk.. I’m looking for some guides/web sites/books/YouTube channels that explain #cryptography and #cryptanalysis to a layperson.. including the math!! Thanks 🙏
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #19/2023 is out! It includes, but not only:
‣ New Phishing-as-a-Service Platform Lets Cybercriminals Generate Convincing #Phishing Pages
‣ #Netgear Routers' Flaws Expose Users to #Malware, Remote Attacks, and Surveillance
‣ 🇮🇹 🏎️ #WordPress Plugin Vulnerability Exposed #Ferrari Website to Hackers
‣ 🇯🇵 🚗 #Toyota Japan exposed data on millions of vehicles for a decade
‣ 📨 #Microsoft patches bypass for recently fixed Outlook zero-click bug
‣ 🇺🇸 🇺🇦 IRS gives #Ukraine tools to expose Russian oligarchs hiding riches in #crypto exchanges
‣ 🇨🇭 Multinational tech firm #ABB hit by Black Basta #ransomware attack
‣ 🐥 #Twitter Finally Rolling Out Encrypted Direct Messages — Starting with Verified Users
‣ 🇺🇸 Cybersecurity firm #Dragos discloses cybersecurity incident, extortion attempt
‣ 🇰🇵 North Korean hackers breached major hospital in Seoul to steal data
‣ 🇺🇸 #Google Now Lets US Users Search #DarkWeb for Their Gmail ID
‣ 🇺🇸 #IBM Delivers Roadmap for Transition to Quantum-safe #Cryptography
‣ 🇪🇸 Spanish police dismantle phishing operation linked to crime ring
‣ 🇺🇸 Microsoft #PatchTuesday: 40 Vulnerabilities, 2 Zero-Days
‣ 🇺🇸 🇷🇺 Justice Department Announces Court-Authorized Disruption of the Snake Malware Network Controlled by #Russia's Federal Security Service
‣ 🇺🇸 Feds seize 13 more DDoS-for-hire platforms in ongoing international crackdown
‣ #MSI Data Breach: Private Code Signing Keys Leaked on the Dark Web
‣ 🇮🇷 Microsoft: Iranian hacking groups join #Papercut attack spree
📚 This week's recommended reading is: "The Pentester BluePrint: Starting a Career as an Ethical Hacker" by @phillipwylie and @crowgirl
Isn't RSA the current secure solution for the corresponding encryption/security on the browser with JavaScript?
»Galois/Counter Mode and random nonces:
It turns out you can encrypt more than 2^32 messages with AES-GCM with a random nonce under certain conditions. It’s still not a good idea, but you can just about do it.«
if you want to help people access the full, uncensored internet via Tor, and you're a fedi admin, here's a way you can help. you may know about Tor Bridges and how they're used by people behind repressive governments that censor the internet to safely access the net. countries like China or Russia block the public list of Tor relays, for example.
WebTunnel is a Bridge method that uses a reverse proxy that you configure using your existing nginx (etc) web server that points to your server's local tor daemon. so your fedi instance can be a bridge to the Tor network for people who cannot connect to Tor normally. disobey.net is hosting one ^^
one thing to note is that it's important to disable nginx (etc) web server logs, since the people who use bridges are connecting to you as their first, trusted hop onto the tor network. something to keep in mind to maximize privacy and reduce your own liability.
Early on in my hobby I came to the realization that cryptographic prowess has no viable market price point. More's the pity. Yet I think one day I may change that with my secrecy sauce.
The tech, simply put, works like this: When you create an account for a website or app, your device generates a cryptographic public-private key pair. The site or app backend gets a copy of the public key, and your device keeps hold of the private key; that private key stays private to your gear. When you come to login, your device and the backend authentication system interact using their digital keys to prove you are who you say you are, and you get to login. If you don't have the private key or can't prove you have it, you can't login.
This is part of a wry joke at the expense of LISPers and lambda calculators:
"... the heretic is chained in the dungeon where he is forced to learn Common Lisp on a Commodore 64 and interact with rapacious Lemmy-ings and Mastodonians."
Join us for welcoming returning presenter Sergi Rovira, with Axel Mertens, from Universitat Pompeu Fabra (UPF) and @CosicBe respectively, presenting Convolution-friendly Image Compression in FHE, Apr 25th, 2024 @ 4PM CEST.
Swiss authorities intervene, Proton Mail not blocked in India (www.moneycontrol.com)