Messages

101

Living Room / Re: File Encryption - now effectively outlawed in the US?

« on: April 04, 2017, 12:05 PM »

IainB, I'm going to cut your prose short.

You revived the other thread, so that's where I posted objective reasons to avoid the product.

This thread is about a political issue, and thus this thread is where I ask why you're trying to solve a political problem with a (bad) technological solution.

Also...

102

Announce Your Software/Service/Product / Re: FrogTea

« on: April 04, 2017, 10:37 AM »

Well, that all looks pretty good, but some of the references here could be mistaken or out of date, I suppose. (I wouldn't know.) For those who are interested, there seems to be quite a lot of heavy academic documentation about it too, on the Internet.
(...)
If one wanted to explore this further, it could be interesting to know how xTEA has been broken, or something, and where that is documented, and how easy that might be to replicate for the average laptop/smartphone thief.

-IainB (April 04, 2017, 03:10 AM)

I haven't scoured the net, but I assume the notes on wikipedia are correct with regards to TEA attacks. A 2^59 chosen plaintexts is "not excatly trivial", but the attack is six years old by now - and XXTEA probably isn't getting a lot of (public) attention since it's not a sexy thing to break. It's not one of the normally used ciphers, so why bother throwing a lot of resources at it?

For academia, that is. Our friendly three-letter agencies haven't got the same resource constraints, nor a drive for public glory.

However, for the purposes of securely encrypting the typical user's portable bits of personal/private/confidential HTML and text-based data (...)

-IainB (April 04, 2017, 03:10 AM)

If you have a hard requirement of no other requirements than a browser (e.g. no executables), perhaps - but I'd still look for other solutions. And it wouldn't be hard to cook up something with a proper encryption algorithm that still decrypts from html+js.

Other than that: threat modeling.

103

Found Deals and Discounts / Re: Windscribe - Get 50GB free VPN bandwidth every month for life

« on: April 03, 2017, 11:00 PM »

1) Don't be fooled into thinking VPN will secure your privacy on the internet, it's not what it was designed for.
2) Don't even consider using a free offering.

104

Living Room / Re: File Encryption - now effectively outlawed in the US?

« on: April 03, 2017, 10:46 PM »

Don't use FrogTea - I've posted some reasons in the other thread.

What on earth is it supposed to help with, anyway? You're suggesting a product that's technically inferior to modern crypto, while not solving the issue at hand which is a politics based one.

105

Announce Your Software/Service/Product / Re: FrogTea

« on: April 03, 2017, 10:43 PM »

Don't use.

It's unmaintained software, the source is not available, TEA should be considered broken, and the page doesn't mention whether the algorithm is being used in EBC or a chained mode, nor whether any key stretching is being used for the input passphrase.

106

General Software Discussion / Re: LessPass password manager

« on: March 22, 2017, 02:35 AM »

Have they changed the core mechanics of how it works, or is it still 100% utterly useless?

Last time I looked at it, the design meant compromised master password == having to change each and every password you've used it for.

Also, what this guy wrote.

107

General Software Discussion / Re: When testing untrustworthy software, remember virtual machines can be escaped

« on: March 22, 2017, 02:17 AM »

While VMs can be escaped, you should keep in mind that a VM escape is an extremely valuable 0day.

So, if you get a piece of "interesting software" containing a VM escape, there's basically two scenarios:

1) you're targeted by a nation-state, YOU'RE GONNA DIE AND THERE'S NOTHING THAT YOU CAN DO ABOUT IT.
2) you're dealing with a potentially nasty piece of malware, but it's using publically-known escape techniques.

Keep your VM software up-to-date! And don't even think about using sandboxing/containerizing software for testing BadStuff.

PS: while you're not super likely to find VM-escape in the wild, it's a lot more common for malware to have VM detection - meaning it won't activate when running in a VM, so it lulls you into a false feeling of safety.

108

General Software Discussion / Re: Malwarebytes goes full Anti-Virus

« on: March 17, 2017, 07:26 PM »

What a shame

109

General Software Discussion / Re: Windows Explorer now has banner ads

« on: March 12, 2017, 12:07 PM »

Man, ads in your operating system... ugh.

I quite like Windows 10, it's pretty snappy - but I really don't like this direction. Meh. Thought Microsoft had wisened up with Natya Sadella and all, but... ugh.

all of systems we work on now have a licensed copy on Notepad++ installed.

-Shades (March 11, 2017, 07:11 PM)

Huh, there's licensed versions of Notepad++? 

110

Living Room / Re: What books are you reading?

« on: February 28, 2017, 04:55 PM »

Finally reading The Mythical Man-Month.

"Few books on software project management have been as influential and timeless as The Mythical Man-Month. With a blend of software engineering facts and thought-provoking opinions, Fred Brooks offers insight for anyone managing complex projects."

While I'm a developer and not a project manager, I've been told (and sorta agree) that it's one of the "really should read" books in the industry. It's probably a bit over-hyped, but nonetheless it's a good read so far (next chapter is "No Silver Bullet") - and it's amazing how little of it seems dated, even though the first edition is from 1975.

111

DC Gamer Club / Re: XCOM: UFO Defense free on Humble for next 18 hours (until 10am Pacific time)

« on: February 28, 2017, 04:47 PM »

UFO Defense and Terror From The Deep were such great games - a shame that the series was never continued.

Steam used to bundle my bugfix loaders for the Collector's Edition Win32 port, but I believe they use DosBox these days... my loaders certainly aren't Win10 compatible, it seems.

112

Announce Your Software/Service/Product / Re: Block pesky ads, malware-spreading domains, porn sites and more with WebLocker

« on: February 27, 2017, 02:50 AM »

So, the tool is basically a DNS switcher? Or switcher + null-routing with hosts file?

How does it prevent DNS leaks and tracks? Switching to a DNS server that claims doing this is not the same as actually preventing it.

The feature list seems a bit like false advertisement, if it's just a blocklist. While null-routing known malware hosts does prevent getting malware from those domains, that really doesn't qualify a product as "anti-malware".

How come it's hosted on sourceforge if the source is not available?

Also, a couple of things regarding DnsCrypt:
1) it doesn't encrypt DNS traffic, it cryptographically verifies that the replies haven't been tampered with.
2) using a DNS server that's listed as "supporting DnsCrypt" is meaningless, you don't gain anything unless you're running the DnsCrypt client yourself.

113

Developer's Corner / Re: Anyone tried the Nim language yet?

« on: February 24, 2017, 02:29 PM »

I skimmed half of https://nim-lang.org/docs/tut1.html , and the basic syntax doesn't look bad... but indentation based syntax is enough to put me off, especially when I don't see something that strikes me as a killer feature.

A powerful macro system with the ability to modify the AST might be interesting, but... dunno. I'm just not "feeling it"

114

Living Room / Re: 21.co - Replace your public email with an inbox that pays you

« on: February 24, 2017, 01:29 PM »

Why on earth would anybody in their right mind join a thing like this?

115

Developer's Corner / Re: Windows Update Controller

« on: January 03, 2017, 03:37 PM »

Overall I really like Windows 10 (and it has some nice security and performance things under the hood!) - but Microsoft does seem hell-bent on enforcing a couple of things in ways I really don't like (telemetry, forced windows updates + boots).

I'll be kinda surprised if you get it to respect registry values!

116

General Software Discussion / Re: should I be using a VPN? why? what about the recent deals?

« on: December 28, 2016, 02:42 PM »

While your traffic will be encrypted, there's no way to hide that your IP address is connected to and communicating with the destination IP address.

-Innuendo (December 28, 2016, 07:31 AM)

A VPN masks what you're communicating with - snoopers will only be able to see that you're communicating with the VPN concentrator. The destination host won't see your IP either, it will see the IP of the VPN concentrator.

But as already mentioned, it's not foolproof and there's way to unmask you.

In short, a VPN can be a very secure tool for the right people in the right circumstances, but it's not a cure-all for everything malevolent on the internet.

-Innuendo (December 28, 2016, 07:31 AM)

Again: securely using the internet from an insecure location (hotel, café, whatever). Nothing more, nothing less.

If you're doing malevolent stuff and think a VPN will do anything for you, prepare for some jail time :-)

117

Living Room / Re: grab urls

« on: December 27, 2016, 10:16 AM »

I gave Downthemall a try, but is there a way to make the downloads delay every x seconds so that I won't abuse the server???

-kalos (December 02, 2016, 05:48 PM)

You can configure concurrent downloads and downloads-per-server in DownThemAll - that really should be all you need to to avoid "abusing" anything

118

General Software Discussion / Re: should I be using a VPN? why? what about the recent deals?

« on: December 27, 2016, 09:59 AM »

I guess "MDC WiFi" means the WiFi network on your college?

If you get HTTPS certificate errors while connected to it, your college sysadmins are probably some misguided fools that are doing nasty man-in-the-middle shit on your connections.

119

General Software Discussion / Re: alternative to filehamster?

« on: December 27, 2016, 09:49 AM »

Git, Mercurial or even SVN should be used when versioning is necessary.

-Shades (December 14, 2016, 03:43 PM)

For source control style versioning, sure.

But for backup-style versioning? Nope, nope and nope. What you need in that situation is very different from the history-from-the-beginning-of-time versioning style that source version control systems offer.

120

fSekrit / Re: Fsekrit fails to run Thai text searches

« on: December 19, 2016, 02:21 PM »

You're thinking of file encoding, though

Notepad (on NT derived Windows versions) uses the Unicode APIs. I just took a quick look at Ted Notepad, and it's a Unicode application as well. I haven't looked deeply at Ted, but Notepad internally uses a "Rich edit control", which (even on Win9x) internally uses Unicode. It's when interacting with the rest of the system you run into ANSI/Unicode issues - Win9x has an extremely limited Unicode support, which is the reason fSekrit is an ANSI application.

The issue is here - I could probably get away with just local modifications to that file to get Unicode search support, before doing the proper rewrite of the whole application.

121

General Software Discussion / Re: should I be using a VPN? why? what about the recent deals?

« on: December 19, 2016, 01:13 PM »

A VPN connection is useful for securely accessing LAN machine across the internet (corporate use), or securely using the internet from an insecure location (hotel, café, whatever). Nothing more, nothing less. If you think you're getting "protection" or "anonymity", think hard about what you're doing and which consequences it could have; while it will be sufficient to hide you from a nosey neighbour, it doesn't take a nation-state adversary to decloak.

Stay the hell away from the "free" offerings, unless you have the technical skills (and spare time) to routinely inspect all the network traffic - there's been some "free" proxy and vpn software doing very, very, very dodgy things.

And even for the paid ones, even if the "we do not keep any logs" and "we are definitely not a NSA honeypot" statements are true, there are things that can be done without the VPN company coöperating, from hacking concentrator nodes to analyzing traffic at the datacenter.

There are uses for VPNs, but anonymity (especially combined with "anything worse than petty crime") is definitely not a safe use.

122

Developer's Corner / Re: Recommendations for where to get SSL Certificates?

« on: December 19, 2016, 12:53 PM »

In this day and age, I would definitely go for LetsEncrypt for HTTPS certificates unless hard pressed to use something else. Self-signed certs aren't really appropriate for a public-facing website, even though they're technically more secure.

Dunno about code signing - aren't the options relatively limited?

123

Community Giveaways / Re: TIS-100, a programming game

« on: December 19, 2016, 12:45 PM »

TIS-100 is basically Human Resource Machine's older and veeeeery geeky brother :-)

124

fSekrit / Re: Fsekrit fails to run Thai text searches

« on: December 19, 2016, 12:44 PM »

Hey,

There's a pretty good chance that you are correct - fSekrit uses the ANSI rather than Unicode APIs for text searching. I didn't bump into this problem myself, since Danish is simple enough to fit into an OEM codepage. More complex languages like Thai will probably fail.

Plans for "version next" (which still doesn't have a timeline) is dropping Win9x support and being fully Unicode. It's going to be a while before I get around to doing that, but I might be able to add Unicode search as a minor upgrade to the 1.x line. I currently don't have a development environment on my home machine, though, and I'm waiting for Visual Studio 2017 to be released before I go through the trouble of setting it up.

I expect it to be a pretty easy fix, but will probably break Win9x support - something I wanted to avoid doing for version 1.x.

125

fSekrit / Re: FSekrit 1.40 Error Saving File

« on: November 24, 2016, 02:51 PM »

Good to hear the source of the issue was found, but damn - that's pretty nasty, and a somewhat convoluted workaround. It seems like the issue has been introduced with some (late-ish) Win7 update? That would explain why I haven't run into it, since I've been running Win8 and now Win10 for a while - at least those versions haven't been plagued.

I wonder if there's anything I can do programmatically against this. The SuperUser thread mentions "several minutes delay", so doing a couple of tries with a short delay between (as is done elsewhere) is not an option.