|
To an extent - at some point I have to trust somebody's imnplementation of the protocol unless I want to try and implement it myself (which seems like a really bad idea). Ultimately I'm using it because that's the first Google result for "BCrypt for .NET". If there's another implementation I should rather be using, I'd like to know which one. The github page does say it's a port of https://bcrypt.codeplex.com, but considering that site immediately throws up a browser warning I'm hesitant to go any further with that one.
|
#
?
Feb 12, 2020 22:58
|
|
|
|
| # ? May 31, 2024 10:43 |
|
|
Volmarias posted:Lol if you actually think this I can dream.
|
|
#
?
Feb 12, 2020 23:50
|
|
|
Argon2 is also a fairly popular recommendation now and it should be fairly easy to find a trustable implementation of it for dotnet.
|
|
#
?
Feb 13, 2020 03:31
|
|
|
IIRC one of the OWASP pages recommends PBKDF2 with .NET because it's provided in the standard lib. What's the consensus on PBKDF2?
|
|
#
?
Feb 15, 2020 13:08
|
|
|
You can reasonably argue that PBKDF2 is a reasonable choice for a password hashing algorithm during an audit or when your password database gets leaked and you won't get tarred and feathered over it, imho.
|
|
#
?
Feb 15, 2020 14:33
|
|
|
PBKDF2 is still on the list of cryptographic right answers too, so it doesn't seem like it's the worst way to go. if you're designing something from the ground up, meaning you don't have to deal with legacy systems, scrypt is preferred.
|
|
#
?
Feb 15, 2020 17:39
|
|
|
That's just too perfect. When I was telling my team we were all getting new Cisco desk phones I said there would be a prize for the first person to install Doom on it. You know, as a joke. I should have known better.
|
|
#
?
Feb 15, 2020 22:27
|
|
|
So this Crypto AG bullshit is pretty much the poster child of a reason as to why for-pay VPNs nowadays are complete bullshit for "privacy".
|
|
#
?
Feb 16, 2020 22:55
|
|
|
wireguard doesn't use nist curves, does it?
|
|
#
?
Feb 16, 2020 23:13
|
|
|
Potato Salad posted:wireguard doesn't use nist curves, does it? No, it uses X25519 for key exchange, BLAKE2 for hashing, and ChaCha20-Poly1305 for encryption/authenticaiton which is as good as you can get for avoiding NIST-endoresed technology.
|
|
#
?
Feb 16, 2020 23:44
|
|
|
Combat Pretzel posted:So this Crypto AG bullshit is pretty much the poster child of a reason as to why for-pay VPNs nowadays are complete bullshit for "privacy". Huh, I hadn't read about that. I'd really like to think that there's some way for the Swiss government to squeeze the CIA's balls on this, but barring people known to be in on it (who presumably moved back to the States afterward) being dumb enough to go back to Switzerland I doubt that's happening.
|
|
#
?
Feb 16, 2020 23:44
|
|
|
Mr.Radar posted:No, it uses X25519 for key exchange, BLAKE2 for hashing, and ChaCha20-Poly1305 for encryption/authenticaiton which is as good as you can get for avoiding NIST-endoresed technology.
|
|
#
?
Feb 17, 2020 19:35
|
|
|
Mr.Radar posted:No, it uses X25519 for key exchange, BLAKE2 for hashing, and ChaCha20-Poly1305 for encryption/authenticaiton which is as good as you can get for avoiding NIST-endoresed technology. Is the implication here that NIST-endorsed tech and algorithms should be viewed as highly suspect? I mean I don't want to sound like a rube or something, but... AlternateAccount fucked around with this message at 22:08 on Feb 17, 2020 |
|
#
?
Feb 17, 2020 22:03
|
|
|
AlternateAccount posted:Is the implication here that NIST-endorsed tech and algorithms should be viewed as highly suspect? I mean I don't want to sound like a rube or something, but... They don't have a good track record. It isn't that "everything NIST is bad" because almost all of it is legitimately good, but NIST endorsement in and of itself doesn't mean the thing is good, and if NIST is the only thing endorsing the thing, I would indeed be very suspicious. The fact that we tend to use NIST-sponsored things is mostly because the community agrees with them and not because they're authoritative.
|
|
#
?
Feb 17, 2020 22:13
|
|
|
xtal posted:They don't have a good track record. It isn't that "everything NIST is bad" because almost all of it is legitimately good, but NIST endorsement in and of itself doesn't mean the thing is good, and if NIST is the only thing endorsing the thing, I would indeed be very suspicious. The fact that we tend to use NIST-sponsored things is mostly because the community agrees with them and not because they're authoritative. can you elaborate on their poor track record? That seems a bit incongruent with your next sentence of "almost all of it is legitimately good"
|
|
#
?
Feb 17, 2020 22:16
|
|
Cat Army 
|
The Iron Rose posted:can you elaborate on their poor track record? That seems a bit incongruent with your next sentence of "almost all of it is legitimately good" Almost all of their recommendations are for good things like SHA and AES, I believe. The most egregious example of them standardizing a bad thing was Dual_EC_DRGB. But there are all sorts of other attempts that didn't make it so far. https://spectrum.ieee.org/telecom/security/can-you-trust-nist xtal fucked around with this message at 22:25 on Feb 17, 2020 |
|
#
?
Feb 17, 2020 22:21
|
|
|
Do you ascribe the missteps to genuine mistakes or perhaps a bit something more malicious? Sounds like they should just be viewed as a "generally good, but singular source, so seek corroborating opinions from other worthwhile entities" kind of thing?
|
|
#
?
Feb 17, 2020 22:34
|
|
|
I'm ok with that!
|
|
#
?
Feb 17, 2020 23:11
|
|
|
The idea that a single source is insufficient extends well beyond NIST, of course. It's why I won't be using Wireguard until the implementation that's landing in FreeBSD at some point has been independently audited as the IPSec implementation has, and why I encourage caution with OpenBSDs audits, as they're by definition not independent.
|
|
#
?
Feb 18, 2020 12:03
|
|
|
X25519 is the only choice where not trusting NIST was part of the choice. Nobody knows why the NIST curves use the coefficients they do, whereas X25519 has a document explaining its choices. This is in addition to a number of other problems with the NIST curves, such as not producing output that looks uniformly random. AES and SHA-2 are both solid, but there are various other reasons why other algorithms are preferable, such as performance and implementation complexity.
|
|
#
?
Feb 18, 2020 16:21
|
|
|
Double Punctuation posted:X25519 is the only choice where not trusting NIST was part of the choice. Nobody knows why the NIST curves use the coefficients they do, whereas X25519 has a document explaining its choices. This is in addition to a number of other problems with the NIST curves, such as not producing output that looks uniformly random. AES and SHA-2 are both solid, but there are various other reasons why other algorithms are preferable, such as performance and implementation complexity. Comparatively, skein is an example of a crypto-primitive was made explicitly to be fast without hardware acceleration, but it's still slower - though it's great for ZFS on platforms without hardware acceleration!
|
|
#
?
Feb 18, 2020 23:16
|
|
|
Anyone use Rumble.run and have any thoughts? Distributed asset discovery service by HD Moore. I really only need it for a bridged wifi audit across ~50 sites. https://www.rumble.run
|
|
#
?
Feb 19, 2020 18:04
|
|
|
From a few days ago, but I'm just catching up...Combat Pretzel posted:So this Crypto AG bullshit is pretty much the poster child of a reason as to why for-pay VPNs nowadays are complete bullshit for "privacy". This may be true if you're involved in international espionage, and CIA-level agencies are specifically what you're trying to defend against. A VPN is still perfectly effective if you're just some schmoe on the Internet and you'd rather that all the And while the Crypto AG thing is pretty bad, it doesn't necessarily follow that every company is compromised and every algorithm is backdoored. VPNs are not a magic privacy wand, no matter what their marketing may imply. But they're far from useless.
|
|
#
?
Feb 19, 2020 19:18
|
|
|
That reminds me, Algo's GitHub says "Does not claim to provide anonymity or censorship avoidance," why is that? Because your name is presumably going to be attached to the endpoint? Or is it just a CYA / statement that if the Mossad wants to steal your fansubs of the newest Magical Girl anime they will?
|
|
#
?
Feb 19, 2020 19:43
|
|
|
22 Eargesplitten posted:That reminds me, Algo's GitHub says "Does not claim to provide anonymity or censorship avoidance," why is that? Because your name is presumably going to be attached to the endpoint? Or is it just a CYA / statement that if the Mossad wants to steal your fansubs of the newest Magical Girl anime they will? It's a reminder that a VPN isn't magic security dust and that if you're going to do something legally frowned upon somewhere it's only going to go so far.
|
|
#
?
Feb 19, 2020 20:00
|
|
|
Given that Algo itself doesn't own any of the providers, I'd take that to mean only that your anonymity is only protected so far as Digital Ocean or whoever want to protect it, which is not a factor Algo itself can possibly control.
|
|
#
?
Feb 19, 2020 21:55
|
|
|
Zorak of Michigan posted:Given that Algo itself doesn't own any of the providers, I'd take that to mean only that your anonymity is only protected so far as Digital Ocean or whoever want to protect it, which is not a factor Algo itself can possibly control. the statement is required as vpn providers make money off of this ignorance when half of the route is all they encapsulate. the rest is always in-play, all you're doing is moving where the start of your connection effectively is marketers really don't care about you jumping through a vpn - its just another way you make yourself unique and makes it easier to connect sessions since you're going to run their code in your browser anyway what does the route matter
|
|
#
?
Feb 19, 2020 22:35
|
|
|
Powered Descent posted:This may be true if you're involved in international espionage, and CIA-level agencies are specifically what you're trying to defend against.
|
|
#
?
Feb 19, 2020 23:03
|
|
|
Random showerthought: Considering this Crypto AG poo poo, it's rich for the US to make such a drama about Huawei's 5G equipment.
|
|
#
?
Feb 20, 2020 14:32
|
|
|
Combat Pretzel posted:Random showerthought: Considering this Crypto AG poo poo, it's rich for the US to make such a drama about Huawei's 5G equipment. why though given the capabilities the US is aware that this kind of intercept provides, it makes even more sense for them to try to make sure other nation states don't have that ability within its borders Potato Salad fucked around with this message at 14:42 on Feb 20, 2020 |
|
#
?
Feb 20, 2020 14:36
|
|
|
"Wow this is really effective, I shouldn't let somebody else do this to me" This is a sound way to think
|
|
#
?
Feb 20, 2020 14:37
|
|
|
Combat Pretzel posted:Random showerthought: Considering this Crypto AG poo poo, it's rich for the US to make such a drama about Huawei's 5G equipment. Yes, everyone is aware of the hypocrisy, and it's entirely possible if not probable that there are similar vulnerabilities intentional or otherwise that the NSA et al are aware of if they weren't the principle creators of.
|
|
#
?
Feb 20, 2020 16:08
|
|
|
Combat Pretzel posted:Random showerthought: Considering this Crypto AG poo poo, it's rich for the US to make such a drama about Huawei's 5G equipment. Considering that China is committing an intentional planned genocide as we speak, maybe get back in the shower and think about the historical parallels a bit more.
|
|
#
?
Feb 20, 2020 17:06
|
|
|
I'm always tickled by the online opinions of Americans.
|
|
#
?
Feb 20, 2020 17:10
|
|
|
Huawei isnt doing anything we dont do, but at the same time the idea of letting them inside to do the same thing is pretty no brainer bad. China is even more direct than the US though: It takes lawsuits and court orders in the US to get tapping/intercept, but China does that out the door with their companies: If you make it, they have a right to it. They will replace anybody on your board who objects, and they own the right to all IP/Devices. If you have corporate VPN they have to be provided a key. CommieGIR fucked around with this message at 17:40 on Feb 20, 2020 |
|
#
?
Feb 20, 2020 17:22
|
|
|
I'm not an American, if that was aimed at me.
|
|
#
?
Feb 20, 2020 17:31
|
|
|
CommieGIR posted:It takes lawsuits and court orders in the US to get tapping/intercept, this is naive and wrong
|
|
#
?
Feb 20, 2020 17:43
|
|
|
The Fool posted:this is naive and wrong Barr isnt promoting having Crypto backdoors as a cover, they do not have the same legal leverage as Prosecutors in China do. And nobody is pretending that all the trunks are not tapped by default, nor that FISA courts dont exist. But its naive to claim that the relationship is 1:1, and still doesnt suddenly make accepting Huawei's backdoors palatable. There is more ability in the US to challenge this stuff versus China, where every manufacturer is considered an extension of the state and that is openly said, and cannot be challenged at all. CommieGIR fucked around with this message at 17:51 on Feb 20, 2020 |
|
#
?
Feb 20, 2020 17:45
|
|
|
https://www.humblebundle.com/books/...iley_bookbundle Decent collection of books and material if you are want to learn more about CyberSecurity and hacking. Pay $1 or whatever
|
|
#
?
Feb 20, 2020 17:48
|
|
|
|
| # ? May 31, 2024 10:43 |
|
|
CommieGIR posted:But its naive to claim that the relationship is 1:1, and still doesnt suddenly make accepting Huawei's backdoors palatable. The Uighur thing is a weird matter to bring up. Considering the US is otherwise also acting as the world's police, they're sure free to deal with it.
|
|
#
?
Feb 20, 2020 17:52
|
|