|
Storm One posted:Why would anyone use a block cipher with 64 bit block size? For anything smaller than a few gigs, it's perfectly fine. But it's just as easy to use AES-256 or whatever you prefer. (I just picked Blowfish since it makes for nice compact commands.) e: GPG is a fine choice here too. Powered Descent fucked around with this message at 00:16 on Jun 17, 2021 |
# ? Jun 17, 2021 00:11 |
|
|
# ? May 30, 2024 03:01 |
|
Storm One posted:Just use symmetric GPG, it's the de facto standard.
|
# ? Jun 17, 2021 00:17 |
|
tbh id probably go asymmetric so that secret doesn't need to live on the server that's doing the encryption but yeah use gpg
|
# ? Jun 17, 2021 00:21 |
|
EDIT: Achmed Jones posted:tbh id probably go asymmetric so that secret doesn't need to live on the server that's doing the encryption but yeah use gpg I wouldn't because then they'd also need to backup and manage the keypair. A simple password that's written down on paper and can even be the same as the master password for the Bitwarden DB is more shoot-yourself-in-the-foot proof. Powered Descent posted:For anything smaller than a few gigs, it's perfectly fine. But it's just as easy to use AES-256 or whatever you prefer. (I just picked Blowfish since it makes for nice compact commands.) Sure, but that OpenSSL one-liner doesn't use any authentication (GPG's apparently isn't ideal but it's something at least) and it's harder to memorise than code:
code:
code:
It's cryptographically better, simpler to use, and GPG is installed in all Linux distros and easily available for Windows, etc Why fuss with OpenSSL? Storm One fucked around with this message at 00:28 on Jun 17, 2021 |
# ? Jun 17, 2021 00:22 |
|
Storm One posted:Why fuss with OpenSSL? It's just the tool I'm more familiar with (we used it a lot at an old job) so it's what sprang to mind for encryption of one file from CLI. Anyway, suggestion withdrawn, I'll join you on board the GPG train now.
|
# ? Jun 17, 2021 00:44 |
|
Yeah, good point on GPG over 7-Zip. I live in Windows land and that's my default go-to, so thanks Goons for teaching me something new! If anyone has anything on that reference to 7-Zip encryption being bad I'd be interested in reading it. It's a very long-lived application that's had a lot of changes over the years, so I'm also curious how recent that criticism is.
|
# ? Jun 17, 2021 00:51 |
|
I'm not qualified to authoritatively conclude anything about this, but someone recently tweeted that they fuzzed 7zip and found lots of problems. I believe it was reposted somewhere in this thread.
|
# ? Jun 17, 2021 00:59 |
|
Storm One posted:I wouldn't because then they'd also need to backup and manage the keypair. A simple password that's written down on paper and can even be the same as the master password for the Bitwarden DB is more shoot-yourself-in-the-foot proof. print out the private key and put in a safe. it's more annoying to type in but it's not particularly different from a password. we have base64 (or whatever you want) technology. pub keys are both public and recoverable from private keys so backing up a "pair" doesn't make a ton of sense
|
# ? Jun 17, 2021 01:08 |
|
Achmed Jones posted:so backing up a "pair" doesn't make a ton of sense True, I mispoke. I personally prefer to only have to worry about remembering and keeping a backup of my master password but if anyone needs/prefers to use asymmetric GPG and wants to backup their private key, the way to go is using paperkey. quote:Due to metadata and redundancy, OpenPGP secret keys are significantly larger than just the "secret bits". In fact, the secret key contains a complete copy of the public key. Since the public key generally doesn't need to be escrowed (most people have many copies of it on various keyservers, web pages, or similar), only archiving the secret parts can be a real advantage. Note that using paperkey, a backup of the public key is also needed in order to reconstruct the secret key.
|
# ? Jun 17, 2021 01:24 |
|
RFC2324 posted:This reminds me of something. Bitwarden can do a database dump in an few formats. I'm doing a nightly dump in their encrypted_json format but thats proprietary and can only be loaded back into bitwarden. I wanted to modify the dump to output one of the non-proprietary formats and pipe it into something to encrypt it... Any recommendations? Ideal use case for tarsnap, OP
|
# ? Jun 17, 2021 01:34 |
|
thanks for all the advice. I'll get gpg written into my backup scriptazurite posted:I'm not qualified to authoritatively conclude anything about this, but someone recently tweeted that they fuzzed 7zip and found lots of problems. I believe it was reposted somewhere in this thread. this is what I was talking about. I don't know that more was ever revealed that 3-4 tweets worth of 'welp, time to not trust 7zip for encryption'
|
# ? Jun 17, 2021 05:04 |
|
Powered Descent posted:(I just picked Blowfish since it makes for nice compact commands.) This is an absolutely terrible reason to choose an algorithm. From a "don't roll your own crypto" post no less.
|
# ? Jun 17, 2021 06:21 |
|
Isn't GPG a dumpster fire of overcomplexity and outdated design that people want to go away but won't? Is there a decent file encryption tool based on libsodium?
|
# ? Jun 17, 2021 07:53 |
|
Not libsodium but perhaps age fits the spirit of what you want
|
# ? Jun 17, 2021 08:32 |
|
Pablo Bluth posted:Isn't GPG a dumpster fire of overcomplexity and outdated design that people want to go away but won't? Yes if you care about the whole of the OpenPGP spec. OP doesn't, they just want a simple symmetric encryption tool which GPG can also do, though not as elegantly as desired. GPG is not ideal but it is cryptographically sound (not broken) and widely available. age isn't even packaged in current Debian, though it will be in Bullseye. Still, unless something critically flawed with GPG's symmetric encryption is found, I'll take the tool bundled by default in all Linux distros for more than a decade over whatever fad du jour. Give it 10 more years and if age is still the reference I'll switch to it.
|
# ? Jun 17, 2021 10:18 |
|
RFC2324 posted:thanks for all the advice. I'll get gpg written into my backup script Eh, unless it was Tavis Ormandy or someone equally reputable I don't think I'd make serious software or security decisions based on a tweet. That said, of you work in a field where you need absolute trust in the software you're running, then get ready to independently audit every piece of code you run, which is fine but probably means Twitter is still not useful for that purpose.
|
# ? Jun 17, 2021 10:37 |
|
https://blog.fuzzing-project.org/49-Multiple-issues-in-p7zip.html
|
# ? Jun 17, 2021 11:07 |
|
p7zip is an abandoned fork done by an independent developer and not "official" 7zip, and certainly not under active development aside from that fork some dude has on Github that may well have its own issues. If you depend on half-decade old versions of abandoned projects then you obviously have to deal with the baggage that comes with that. Nothing in that post should really be taken as representative of the current state of 7zip. Sheep fucked around with this message at 14:37 on Jun 17, 2021 |
# ? Jun 17, 2021 14:10 |
|
Yeah, imagine using the most recent version of software offered by your OS distribution. Surely Debian wouldn't be shipping ancient software with unpatched CVEs, right?
|
# ? Jun 17, 2021 14:38 |
|
e: Never mind, not worth arguing over.
Powered Descent fucked around with this message at 15:01 on Jun 17, 2021 |
# ? Jun 17, 2021 14:57 |
Jabor posted:Yeah, imagine using the most recent version of software offered by your OS distribution. Surely Debian wouldn't be shipping ancient software with unpatched CVEs, right?
|
|
# ? Jun 17, 2021 16:01 |
|
BlankSystemDaemon posted:I'm curious, do you contribute to an open source project in some way? What does that have to do with anything?
|
# ? Jun 17, 2021 16:09 |
|
the only thing i hate more than dealing with outdated packages is dealing with open source project contributors
|
# ? Jun 17, 2021 16:29 |
Jabor posted:What does that have to do with anything? I'm not sure you'd be making that assumption, if indeed you are, if you knew how much work is involved in being involved with one of these large projects, especially considering how much of it is volunteer work.
|
|
# ? Jun 17, 2021 16:30 |
|
I am honestly lost at what point any of you are actually trying to make.
|
# ? Jun 17, 2021 16:33 |
|
https://twitter.com/AdmVonSchneider/status/1369300173441089538?s=20 It was this thread, I believe. The poster does go on to eventually say the latest upstream versions of 7-zip are better.
|
# ? Jun 17, 2021 16:47 |
|
Sickening posted:I am honestly lost at what point any of you are actually trying to make. Infosec best practice: don't use any software.
|
# ? Jun 17, 2021 17:05 |
Klyith posted:Infosec best practice: don't use any software.
|
|
# ? Jun 17, 2021 17:17 |
|
Klyith posted:Infosec best practice: don't use any computer.
|
# ? Jun 17, 2021 17:34 |
|
Klyith posted:Infosec best practice: don't use any software.
|
# ? Jun 17, 2021 17:35 |
|
Klyith posted:Infosec best practice: don't use any digital device ever. The age of the computer is over, the time of the horse has returned.
|
# ? Jun 17, 2021 18:15 |
|
Klyith posted:Infosec best practice: don't
|
# ? Jun 17, 2021 18:15 |
|
BlankSystemDaemon posted:It seems to me that what you're implying is that Debian are aware of when they make mistakes by missing something, but do it anyway? That open source projects of any complexity Are Hard does not obviate the reality that large projects do, in fact, make mistakes and have oversights and more than occasionally end up pushing distros out the door with CVEs still in them. The point isn't "lol u oss guys are turds" as much as "just because it's pre-packaged doesn't guarantee anything." Though it does at least make it more likely that the package isn't a total poo poo-show, and giving preference for pre-installed packages does make sense, generally. But doing your own due diligence is always the recommendation.
|
# ? Jun 17, 2021 18:23 |
|
Klyith posted:Infosec best practice: don't use any software.
|
# ? Jun 17, 2021 19:46 |
|
Infosec best practice: don't use any employees.
|
# ? Jun 17, 2021 20:30 |
|
wolrah posted:At least software can be easy to patch and rarely goes out of its way to sabotage you, the meatware is often the most exploitable part of a system and it's often actively hostile to attempts to solve that problem. Why is this the first time I have heard the term meatware? I hate it.
|
# ? Jun 17, 2021 20:34 |
|
Cup Runneth Over posted:Infosec best practice: don't use any employees. Just don’t have any information Unrelated doing some reading today and apparently the reason a lot of NSA tools are known to be tied to the NSA is because the NSA rolled their own crypto and while it actually worked it was unique enough that it became a unique fingerprint, which I thought was interesting.
|
# ? Jun 17, 2021 21:05 |
|
The Something Awful Forums > Serious Hardware /Software >The Infosec Thread: Don't use any software. Or people.
|
# ? Jun 17, 2021 23:24 |
|
BlankSystemDaemon posted:It seems to me that what you're implying is that Debian are aware of when they make mistakes by missing something, but do it anyway? I care about outcomes. If the outcome is poo poo then it doesn't matter that the people putting the work in had good intentions. But mostly I was pointing at that "just trust the tools shipped with your distro and don't think about it", and "if you use ancient unpatched software with known CVEs then it's your own fault and you deserve what you get" are actually fundamentally incompatible positions given current reality, which is something that's a surprise to many people.
|
# ? Jun 18, 2021 01:15 |
|
|
# ? May 30, 2024 03:01 |
|
Sickening posted:Why is this the first time I have heard the term meatware? I hate it. Wetware is the term I've heard before. It's not much better.
|
# ? Jun 18, 2021 19:14 |