Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Infosec Thread: Yes, time to move off LastPass
 
  • Post
  • Reply
Scikar
Nov 20, 2005

5? Seriously?

Antillie posted:

When I need to encrypt something in Python before I write it to disk I use the simple-crypt module. Despite its use of PBKDF2 with a 256 bit random salt I still tend to use the SHA256 of some random phrase as the initial password. In my specific use case I am trying to protect data that a user might backup to some sort of external drive or dropbox account. So if the USB drive is lost or the dropbox account is compromised all the attacker gets is a pile of AES encrypted gibberish since the python program that contains the password is stored elsewhere and not backed up by end users.

Your use case seems better suited for public-private key crypto rather than symmetric key like AES, and PGP already exists to do this for you.

* # ¿ Nov 20, 2015 19:23
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ May 7, 2024 03:50
  • Quote
Scikar
Nov 20, 2005

5? Seriously?

Antillie posted:

If I ever need to change things so that each user's data is encrypted with a unique key then I would certainly go with 2048 bit RSA and generate a unique public/private key pair for each user. However at the moment each user only has access to their own data in their home directly due to filesystem permissions and anyone with root can already see the data I am trying to protect anyway.

I suppose I could replace the current way I am doing things with a single public/private key pair but I don't see what that would do other than slow things down. Or am I just not understanding your suggestion correctly?

Sorry, I misread your previous post and thought you were backing up the user data yourself.

* # ¿ Nov 20, 2015 19:58
  • Quote
Scikar
Nov 20, 2005

5? Seriously?

Three-Phase posted:

100% sure it was an attachment. Using that to spread a JPEG exploit is possible but based on that CVE it only seems to work with certain software and much older OSes (Windows XP) but on the other hand I am sure throughout the world there are still tons of machines running poorly updated copies of Windows XP.

Barracuda spam filters got a mention recently because they don't scan emails above 256kB by default, on the basis that spammers don't send emails bigger than that but scanning large emails is more resource intensive. I'm a sure a spammer using a botnet would be fairly happy to use up more of somebody else's bandwidth to get more emails through to inboxes though. So it might just be to add size to the email while using a file format that isn't suspicious itself.

* # ¿ Mar 18, 2017 17:18
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Infosec Thread: Yes, time to move off LastPass