Jump to content
Welcome, welcome! Come in and register, and have some developer coffee. 👨‍💻 ×

Recommended Posts

The MySQL database hosting project that I posted here is an example of PriSec Projects. 

The PriSec Projects consists of the following attributes:
image.thumb.png.56a734300f9383b90158700070b4d3e7.png

The goal of PriSec Projects was not to stop hackers from getting into the server but solving the root of data leakage(server has valuable data or metadata) by fulfilling the attributes above, essentially these projects will have post-data leakage security by its design from start. The service provider/server won't be able to follow the trend of big data or perform any data analysis work on their end. This series of projects will most likely have anonymous users and have special kind of account recovery.

A series of PriSecProjects that I had in mind:
1. PriSecFileStorage (started and have some progress)
2. PriSecDatabaseHosting (on hold until File Storage finished)
3. PriSecPay(Partially anonymization of sender and recipient on making/receiving payments) [on hold until able to find suitable users/clients through the 1st and 2nd project]

Any further information and updates will be make here if it's indeed a "PriSec" family.

Link to post
Share on other sites
  • 2 weeks later...
Posted (edited)

1. The PriSecFileStorage was licensed under "APGL-3.0"

This will be the source code that responsible for the PriSecFileStorage.

Client Application(C# Winform) (OS=Windows)
https://github.com/Chewhern/PriSecFileStorageClientApplication

Server Application (ASP.Net Core) (Web API) (OS=Linux Ubuntu)
https://github.com/Chewhern/PriSecFileStorage

Edited by chrono_legionnaire
Link to post
Share on other sites
  • 2 months later...

2. The PriSecDatabaseHosting was licensed under "APGL-3.0"

In summary, PriSecDatabaseHosting aims for providing confidential database to users.

In current stage, PriSecDBHosting was in prototype phase so do its client panel, do expect bugs. 
I was still doing documentation for quite a complex confidential database hosting.

Whatever I do, in earlier stage or in future stage, the ideology of sacrificing ease of use for security will not be gone soon though in future, the ease of use might increase a bit..

Client Application(C# Winform) (OS=WIndows)
https://github.com/Chewhern/PriSecDBClientPanel

Server Application(ASP.Net Core) (Web API) (OS=Linux Ubuntu)
https://github.com/Chewhern/PriSecDBAPI

Link to post
Share on other sites
  • 3 weeks later...
On 9/2/2021 at 9:02 PM, FlierMate said:

Hi chrono, how is the response of your GitHub repo? Any clones or downloads activity?

I hope all is well. As for me, too complicated for me to understand most part of your technique.

My repositories that have PriSec on it had been forked by an American Muslim. I wasn't quite sure if there's any downloads activity(not sure how to check) on my github. I also wasn't sure if there's users(I haven't check on my server side through sftp). I tried to reach out to people in reddit and atm I only get 10 upvotes.. Maybe the drawbacks is too great or maybe it's too confusing .. I don't really know ..

  • Good 1
Link to post
Share on other sites
3 hours ago, chrono_legionnaire said:

My repositories that have PriSec on it had been forked by an American Muslim. I wasn't quite sure if there's any downloads activity(not sure how to check) on my github. I also wasn't sure if there's users(I haven't check on my server side through sftp). I tried to reach out to people in reddit and atm I only get 10 upvotes.. Maybe the drawbacks is too great or maybe it's too confusing .. I don't really know ..

I think I saw that it has been forked. Nice.

You check the download activity through repo Insights --> Traffic.

10 upvotes are good enough, I get downvotes for my QR generator and only 6 upvotes for my compiler project.

 

Link to post
Share on other sites
On 9/4/2021 at 9:01 PM, chrono_legionnaire said:

Screenshot (19).png

Screenshot (20).png

Screenshot (21).png

Screenshot (22).png

Looks like your PriSecDBAPI was quite popular given the number of downloads, but it is intriguing that people viewing your PriSecFileStorageClientApplication did not download copies of your repo.

Edited by Mussel
Link to post
Share on other sites

Sometime, we might think is there any alternative solution ?

(correct me if any misunderstood)
The main idea of this project is secure data in hosting server.
If server management mistake may causes data leaked.


When we store our project in a server, (server code + database)

all the server side code, database config and password, all these data we want to secure.

 

If we use the server for database only, (client app + server database)

we can consider to encrypt the database,

only client app have the password to open the database stored in the server. (check database server features)

 

Another solution is client app have partial data (e.g. Index, important keyword),

client app have to use these partial data, to get the correct records from the server.

 

If the server is not secure, everything inside are at risk.

May be the most secure is store everything locally and do a regular backup...

😀 

 

Link to post
Share on other sites

Let's talk about the good and the bad. "Trusts"

(No pun intended)

Everything we use online revolves around "Trusts". Majority of the services do require us to trust the service provider. However, it's up to people to decide is it naive or is it there's no other way? Why said so? I will assume you have already understand what I post regarding the Post-Compromise Security Model. Let's use this website for an example, when we ask cloudflare to sign the certificate that generated locally in this website's VPS[I know it's quite tech-savvy for people], there're 2 questions that we need to ask. Can we really trust the owner behind this website's VPS? Can we really trust cloudflare to not leak their private key that was used to "label" this website's certificate as secure(In chrome, the secure is represented by a green lock logo)? Indirectly we also have to trust the experts behind cloudflare.. However, all these trusts don't prevent data get leaked.. If that's the case.. why... is there a need to hire experts in the first place? To prevent or to guard the server ..? or to get the users to trust the company? Now that the damage has been done .. and security has lose its purpose.. 

The "Trusts" that required by these services are absurd. Similar incidents can be said to Solarwind attack, Facebook data leakage and even government own data center was being hacked/leaked. We as a human, be it come from technical background or non-technical background. Sadly to say, we learn nothing from these incidents. This chain of "Trusts" are what made up our society .. People have to understand their actions and the corresponding risks, effects and consequences..

This whole "trusts" system was flawed. However, at the moment, there's no way to actually eliminate the technology built on "trusts" but we have the ability to not put huge "trusts" towards the technology. The decision is what makes up the market ... That's a sad truth. 

Link to post
Share on other sites

The "trusts" was a flawed mechanism but people don't want to give an opportunity to the services that build on reducing the amount of "Trusts" needed. That's why we are still using common services. 

When we talk about security, there's always pros and cons. There's no such thing as 100% security/privacy. Regardless how the company/corporate or individual manage and guard.

When we talk about "trusts", there're 3 levels of "trusts":
1. Users required to put "trusts" towards the service provider(example are google, GDrive, Firebase, AWS.. and even minor server/web hosting).
The advantage of doing so is the user received an ease of use feeling when using the services and able to recover any lost data.
The disadvantage of doing so is the "trusts" of user towards the service provider will gone if the service provider gets hacked. 

2. Users required to put 50% "trusts" towards the service provider(example are sync.com or any other similar services that claimed to have "zero access") and the service provider will need to put 50% "trusts" towards the users. 

Glossary: "Zero Access"/ "Zero Knowledge" refers to the service provider unable to decrypt anything user uploaded or do at their servers from service provider point of view.

Note: If you are tech-savvy enough, you should go and understand their security paper. You will realized that all of them uses password/passphrase. However, let's be honest, users won't give a damn towards the golden rules in choosing passwords/passphrase. This kind of approach is a 50%-50% "trusts" model. If the server gets hacked, similar forms of hashed passwords(some case.., expect they store in encrypted form/plain text which is exactly like how user typed) will dumb out to the internet in an exchange for account/data recovery. If the user doesn't know what they are doing, this model only consists of 50% "trusts" which are user "trusts" towards the service provider. 

3. Service provider required to have 100% "trusts" towards the users while users need to either put 10% "trusts" towards the service provider or put no "trusts" towards the service provider.

This is a very tricky "trusts" model, the service provider must avoid all possible security holes(there're limits) and try to not collect any sensitive/private data when providing the service. If done right.., the service provider side can have the guts to say they don't need to afraid of the data leakage/breaches that involves with confidentiality or privacy. 

My project idea was based on 3rd "trusts" model. However, there're drawbacks.. among one of them is if you lost the key(For people who don't understand.., assume the key is as important as your passwords), you can no longer login and service provider can't provide any data or account recovery function. 

The 3rd "trusts" model gives the service provider server a security boosts in which to some extent, they don't need to be afraid of leaking data or being targeted by hackers. 

The details are quite technical.. as to why they can do that .. In simplified terms, the 3rd "trusts" model has nothing to hack as it has no value to hack in the beginning(has some limits). The reason was that the 3rd "trusts" model puts all valuable data back into user control and this control is full control. 

The damage scale can be seen below.

1st "trusts" model:
~ Let's assume there're 100k of users using the service. If the service provider gets hacked, the damage will be delivered to all 100k users as seen in facebook data leakage incident. 

2nd "trusts" model:
~ Let's assume there're 100k of users using the service. If the service provider gets hacked, the damage will be delivered to 10k-50k of users(this heavily relies on the security measures of the service provider and the users know what they are doing, hence the damage scale is uncertain and greatly depending on the 2 factors).

3rd "trusts" model(simplified and there're technical things that I haven't mentioned and I don't think mentioning will make what I typed here more understandable .. ) : 
~ Let's assume there're 100k of users using the service. If the service provider gets hacked, the damage won't be delivered to all the users. However.., this greatly depends on the user. If 100k of users using the service, maybe around 10k of users lost their important keys.., the other 90% of users won't be affected. The damage scale is now user side key lost rather than the server gets hacked that causes the users receive damage.

The idea of PriSec Projects was all based on 3rd "trusts" model and the "Post-Compromise Security" model. If data leakage/breaches are unstoppable, why stop it in the first place? Based on this "unstoppable data leakage/breaches" assumption, let's be pragmatic, what we can do to maximize the damage reduction on user side. 

Edited by chrono_legionnaire
Link to post
Share on other sites

If you understand what my real aim was in my PriSec projects, the goal was never to secure data in server. If the goal was to secure data in server.., why not I do the same thing as GDrive, Firebase, AWS or any other similar services? I don't wanna do that, it's a suicide move from security point of view.., users can enjoy ease of use but in exchange their privacy and security were sacrificed. If I "secure data" in server, I won't even bother with user's privacy and security. The question then now becomes, will the target users accept what I do? Will they able to accept the fact that they are now the target ..? 

I hope that there're 100% privacy/security solutions but it's not possible.
 

5 hours ago, flashang said:

If the server is not secure, everything inside are at risk.

May be the most secure is store everything locally and do a regular backup...

If you understand the terms and my motives, you will understand that by using the third "trusts" and "post-compromise security" model. I am essentially mimicking the "store everything locally and do a regular backup.." in an online way. I believe that this is the current most secure and privacy friendly way as opposed to the first 2 "trusts" model. 

The choices are up to users whether they want to do it like the way u stated or choose a hybrid way like what I stated. Regardless of what people choose, I don't think this will suit public. Hence, this is the main reason why I target only privacy/security conscious users. 

Side Note: For majority of users, if the service provider does not force them into protecting their own data. They will just leave everything like the way it is as default settings is always the best settings?

Edited by chrono_legionnaire
Link to post
Share on other sites

When you store some important things at somewhere,
you should at least add some simple lock, to prevent unauthorized access.
But why people forget this when online ?
 

5 hours ago, chrono_legionnaire said:

I hope that there're 100% privacy/security solutions but it's not possible.

More government are roll out policy for online identity.
All the services you used will be logged with timestamp.
Irresponsible comments / sharing or forwarding of fake news may be summoned by the police.

More security and data leak issue happen,
some service provider may have different packages.

But, they have to comply with government policy.
Beside service provider, you may also have to give your data if required.
 

🤔

 

Link to post
Share on other sites
6 hours ago, flashang said:

But, they have to comply with government policy.
Beside service provider, you may also have to give your data if required.

Yup, that was indeed the case and it has been proven as well. However, I don't think it will be an issue.

 

The 2nd "trusts" model consists of protonmail and tutanota that uses user password as master encryption key. If the users know what they are doing, the master encryption key can't be brute force nor it can be leaked. Given in this case, sure they(service provider) can give data to the government or any other similar agencies. However, let's be honest, if the users have good security knowledge, the data that they give to law enforcers just wouldn't be meaningful.

 

The 3rd "trusts" model consists of Signal messaging application. Did government banned it?.. Obviously not.

 

Let's talk about what can the service provider do? You will need to bear in mind open source is powerful, adding backdoor is gonna be too risky and near impossible. However.. they(service provider) can do something on it.. 

 

Let's first talk about signal, signal encrypts whatever they can in a way that only user can decrypts it. This can be said for contacts and all kinds of stuffs. However, based on what I understand why they are allowed to exist was because users want this and law enforcers can use the fact that public communicate on clear net with the user actual own IP address. They(law enforcers) can hack the device as they wished to know what's going on (can be both sender and recipient or just sender/recipient) instead of having backdoor to the device like in Malaysia. 

 

This is a little controversial, protonmail and tutanota do claim that they will cooperate with law enforcers. How did they do it ..? They do it by logging the user IP addresses. In scenario that they need to hand data to government, they can hand the IP addresses of users to the government. This was proven based on the recent protonmail incidents (Paris France climate activists). 

Also, if you look at protonmail or tutanota, they accept fiat currency that has been tightly regulated or accept any cryptocurrency that is "public" .. that's why you didn't see they accept monero as one of the cryptocurrency payment. 

 

These laws are necessary to comply for them.. These data are there for regulatory purposes and these data won't be meaningful (for most of them, there're exceptions).

 

In general, the trend in western government was to have half anonymity for users. I believe that it will be soon adopted globally as well.

 

As for my application.., I currently use PayPal as fiat currency payment platform and I won't cross the line in making the server side anonymous. Client side anonymity is fine.  This fulfills the concept of "half anonymity". If I fulfilled "half anonymity", I don't think I will be in trouble.

 

I hope that you understand why I said that as I know tech in areas you might not be familiar with. A side note, there's a high chance that open source hardware will soon be a norm in western society. Relying on backdoor (western society) will most likely not work anymore in future. 🤣🤣 I am actually quite optimistic regarding the tech future

Edited by chrono_legionnaire
Link to post
Share on other sites

Open Source hardware is another topic which may have a lot of "trace records".

 

To simplify this content for more "human friendly reading",
may be reduce technical keyword and use more common terms.

 

To protect data (no matter stored in local or server),
using strong password (or machine generated password, fingerprint, ..., etc),
everyone know, but how many people do this ?

 

How about those software company ?
Why data leak issue happened on those big software company ?
What action they do to reduce the damage ?
How to prevent similar issue happened in future ?

----------
Anonymity or half anonymity, if nobody was harmed (no violate regulation), who cares ?

Secure communication between user and services (e.g. online shopping, online banking),
to protect individual information been steal or fraud.

 

When something happen,
hospital might call all the people who have visit certain place for swab test.
police can ask individual to surrender their social media account and password.

 

🤔

 

Edited by flashang
Link to post
Share on other sites
12 minutes ago, flashang said:

To simplify this content for more "human friendly reading",
may be reduce technical keyword and use more common terms.

I wished I could.. but because the technology does not comes from common technology .. It's not impossible but it's very hard for me to describe it in common terms as they are not common technology in the eyes of public.
 

14 minutes ago, flashang said:

To protect data (no matter stored in local or server),
using strong password (or machine generated password, fingerprint, ..., etc),
everyone know, but how many people do this ?

Yup .., that's the problem .., if possible all my applications won't be using passwords again.. storing important keys which is similar to passwords(symmetric key/public key cryptography key's private key) will be an issue. If done correctly.. my proposed login mechanism should have a higher chance in logging into the system without the need to remember the password but they do need to remember where do they store the private key or symmetric key
 

16 minutes ago, flashang said:

How about those software company ?
Why data leak issue happened on those big software company ?
What action they do to reduce the damage ?
How to prevent similar issue happened in future ?

To be honest.., if it's possible to stop the attacks from happening. The leakage/breaches or ransomware or any other similar incidents had been gone by now. There're a lot of issues like mismanagement, insider risks and threats(for example how the employees store their own credentials as a staff, how the developers store and process the passwords, how to balance the power of privileged staffs in the company..., and etc). Any companies(exclude government as they are the "protector" or any technology that involves backdoor) either put their own self interests at first or can do whatever they want as they do trust in government backing up or the law is indeed there to protect? 

If let's say they put their own self interests at first(90% the case), there's nothing a normal user can do.. The users were forced to be a product against their will? For companies that are too big to fall, government will backed them up like in solarwinds.. and others similar incidents.

If government asks the company to include backdoor like in Windows, chip manufacturing and etc. The backdoor will be there for a moment until people do realized it. Majority don't mind as they are there to safeguard the public. However.. this isn't the case for cybercriminals, they can discover the backdoor and use it whenever they see fit. 

There's no absolute right or wrong. Regardless how a company runs and make decision, if the company chooses to put their own self interests at first.., make sure they are able to do their job well.. The same goes for implementing a backdoor..

In these 2 examples, you just can't hide or cover something forever.. Like NSA added some mathematical notation in an encryption algorithm, the public suspect it as a backdoor.. however.. as time goes on.. the notation or the mathematical value that NSA put into the algorithm was proven to strengthen the strength of the encryption algorithm.
 

40 minutes ago, flashang said:

Anonymity or half anonymity, if nobody was harmed (no violate regulation), who cares ?


Sooner or later, I believe that backdoor will lose its purpose(to some extent, there'll be scenarios that this still works) and government are forced to find ways to protect their citizens. Relying on backdoor is not something that is long lasting..

I understand the role of government but in the same time I do also understand the concern that western individualism people had.. The best outcome will be to achieve something called as "status quo". As long as technology still being developed, I believe such technology will be accepted by public sooner or later though this'll be a controversial topic as time moves on. It's like asking the public.. national security and personal privacy which one is more important? It's also like asking which statement is true..? The people are there for government or the government were there for people? 

Do you think there's a need to further discuss? I can't discuss it in a way that common people can understand(can try to learn and master but not at the moment). If people are fine with us discussing here.., do let us know otherwise it's better for us to move this conversation to personal chat.. Don't you think that's better? @flashang

Link to post
Share on other sites

Extended to more smaller topics...

Bank industry from provide security token to software token.
Some OTP sms switch to app message or email.

Using password to get key for decrypt,
this should be most cost-effective solution.

----------
Government or some company create backdoor for their own convenient.
They can do this on you, they can do this on everyone else.
Trust is easy to lose, but hard to earn back.

Some organization use different brands firewall together,
because every brand have their weakness.
(or may be they don't trust them all)

People are looking alternative solution, even though they have
to reinvent the wheel.

🤔

 

Link to post
Share on other sites
1 hour ago, flashang said:

Bank industry from provide security token to software token.
Some OTP sms switch to app message or email.

OTP or common scheme works the best if you hand in your personal credentials like phone number/email address to them. There're other alternatives for sure. But giving in personal credentials are consider the most effective way to do it. If you give them the personal credentials.. Users have to trust these information wouldn't be leaked and won't fall victim to usual social engineering attacks.
 

1 hour ago, flashang said:

Using password to get key for decrypt,
this should be most cost-effective solution.

In general they will be using something called "PBKDF2" or "Argon2" that comes from Scrypt or BCrypt or any cryptography library. What they are doing was to take your password and derive a master encryption key from it through using PBKDF2 or Argon2. We all know the strength/drawbacks of doing so. There may be more ways to do it.. 

Cost-effective wise.. I think it applies for 50% of the cases as the service provider side need to make sure they don't lost the hashed passwords(do it properly through PBKDF2 or Argon2). It may be commonly available and easier to understand for public but there's a drawback in which given enough time.. the passwords can keep on being guessed by putting it into the same PBKDF2 or Argon2(depends on the service provider side implementation). This makes the login/creating encryption keys/creating public key cryptography private and public key material strength much much weaker. From my point of view.., if the service provider side do leak the hashed passwords or normal non-processed passwords.., the damage has already been delivered.. it's just how long it takes for users to receive the damage.

This is the most commonly available solutions for public but ... again ... the drawbacks and the responsibility require 2 parties to accept. If something bad happens, they(users and service provider) can't blame each other as they acknowledged the drawbacks and the responsibility that they promised to bear. Not to mention.., sooner or later.., passwords(in my opinion) may be deprecated.. as the computational power become greater, it will be a ticking time bomb that all our services/solutions that based on passwords/passphrase will be render useless. It may not be the case at the moment.., however it will be the case in future. This is something that has great uncertainty because it depends on the factor that whether the computer will reached that level of computational power or any other plausible factors. I personally believe in that passwords/passphrase will not be as cost effective or will be rendered useless as time goes on. However.. I wasn't sure if this will happen. Passwords are easier to understand for public but it's also the easiest to go wrong as we already know what had happened on both service provider side and user side.

If leakage do happens.., using such scheme.., the reputation on the company had already been damaged.. let alone having the passwords(can be hashed or weakly stored) is .. going to make matter worse(there's no worst but there's worse). The reason I said that is because users will repeat their passwords(they can remember easily). Not to mention, they might also need to pay some "remedy" funds towards themselves or their customers .. This is the mutual drawbacks if the system involves with user secret such as password or storing any private key(public key cryptography - X25519[Key Exchange],ED25519[Digital Signature],RSA[public key encryption/decryption or Digital Signature], DSA[Digital Signature], Diffie Hellman Key Exchange, ECDSA[Digital Signature], ECDH[Key Exchange])/symmetric key(AES/ChaCha20/Salsa20/any other industry standard) on user behalf in the server.. 

You can check your passwords/email address/phone numbers have been leaked/breached by using this link below..
https://haveibeenpwned.com/

The other approach that I was using right now in my applications(I hoped to not bring in more technical jargons..) relies on well audited open source cryptography library. This is another approach that is readily available(can be painful to search). My approach was simple.. I tried my best to not collect any private key or symmetric key on server side or involves with any user secret.. To be honest.., it works(has limits) as my application now involves only 10% of user's secret(the database hosting's mysql password login credentials and it was generally used to authenticate rather than using it as encryption key[Based on my understanding mysql.. does not ship with encryption key by default.. not to mention.., the one that involves no user secret..]). The lesser the user secret on server side.. the better it is as it will not be a target for hackers because it's not worthy anymore.... 

People can try to search and look up for public key authentication. This is what SSH uses when the user does not use passwords. My application works the same.. It generally uses public key digital signature algorithm(ED25519/any other plausible algorithm) to login.. The idea behind this was "simple", the user keep their own private key and send the public key to the server. Every time user wants to login/authenticate.., server will send a challenge(random data that's at least 128 bits) to the user. User will then use their private key to sign the data. The signed challenge will then be transmitted back to the server. The server will use the public key that user sent to verify the signed challenge. If verification succeeded, the user is indeed who they claim they are(assuming the user didn't give or leak the private key to anyone else). This whole login process is only applicable in web API instead of web page/sites. Web page/sites can still do it.. but .. it will be more difficult to implement compare to web API. Not to mention.., users dislike having troubles.. For websites/webpages, developers(majority) does not know they can implement this as they haven't heard of it..

Currently, this approach relies on users keeping their private key secure and private.. If they lost it.. the whole login mechanism breaks and the wheel had to be reinvented to suit this kind of approach. I don't do it because initially I thought about it.. binding email address/phone number or to request account recovery through that .. simply does not work.. The account recovery only works for login but not for data recovery. 

This approach is consider as "user secret-less" approach.. However.., if you do understand PKI(public key infrastructure) and PKCS(public key cryptography system), you will know that this has its own drawbacks.. If I describe these here.. more jargons .. and harder to understand..

The proposed approach that you are suggesting is more friendly to majority of the developers and users as well.. My proposed approach.. is not that friendly and requires time to understand .. as it is something they didn't use or learn at all. I am more confident in using my approach.. but it also heavily relies on the developer's knowledge and the availability of cryptography library..

If users are interested.., try to understand what's the possible threat of quantum computer towards public key cryptography system and symmetric encryption. PKCS is more vulnerable compare to symmetric encryption.
 

1 hour ago, flashang said:

Some organization use different brands firewall together,
because every brand have their weakness.
(or may be they don't trust them all)

It works the best if the service provider has no valuable information/asset to hack/steal in the beginning.. However, we all know this isn't the case..

There could be many reasons.. but in general firewall works the best.. if you do it by yourself. There's no doubt what you are saying was correct. You can either have strong network(rely on firewall or network security experts) or have strong data defensive approach(nothing to hack/steal). In cases that these 2 conditions can't be met, the latter approach lasts longer and it's easier and more costs effective as opposed to the first approach.

There's one saying in security.. "Better be safe than sorry". Patching the security holes by applying another security hole... This is a cycle never ends.. Cybercriminals will keep on be our "teachers" even though we don't like it.. 
 

1 hour ago, flashang said:

People are looking alternative solution, even though they have
to reinvent the wheel.

Yup.. this is the case for me.. and this applies to majority of the services as well.. MFA(common) is suitable if the users care for security but not privacy.. However, it becomes a question that's worth asking.. who protects those private credentials? If people don't want to use MFA.., it is suitable for privacy.. but not security. It's like a paradox that can't be solved.. 

There're a lot of give and take when we talk about security. I hope only "give" exists in security but this wasn't the case.. 

MFA is a give and take solution.. (I would consider it as pick a poison)
PKI is a give and take solution.. (I would consider it as pick a poison) 
The lists just never stop.. 

Edited by chrono_legionnaire
Link to post
Share on other sites

Chrono, were you an InfoSec student? I am starting to love your explanation. I set my goal to become security specialist one day (in fact, the course duration is 5 days only, but costs RM 5000++).

I think your open-source project fits nicely in Cybersecurity subforum, do you think so?

You mentioned social engineering and PKI (cryptography?), which is to be studied in the CSS(Certified Security Specialist) course as well. 

 

 

Link to post
Share on other sites
36 minutes ago, Mussel said:

Chrono, were you an InfoSec student?

I am just an ordinary computer science student(diploma graduate).. My lecturers didn't mention or teach these stuffs to me. They do mentioned something related to cryptography .. but they are not explaining it in a clear way nor do spark my interests..
 

40 minutes ago, Mussel said:

I am starting to love your explanation. I set my goal to become security specialist one day (in fact, the course duration is 5 days only, but costs RM 5000++).

If you do become security specialists, do come back and read what I have typed/talked here. You will realize what I typed/talked are just the tip of iceberg. I am not a security experts by all means nor I will become.. It takes time .. not to mention the costs needed.. If I do become security specialist(can be cybersecurity/information security).. what I will be focusing on is to research and publish solutions that are generally aiming to solve certain level of insider risks/threats as I believe by solving those problems ... The company can be safer and there's more privacy for users.

What I was serving right now.. was based on my understanding of the basic concepts of the terms and issues.. I know what are they(the pkcs/symmetric encryption/any other possible stuffs) but if you asked me exactly how they work ... I can't answer that to you.. 

43 minutes ago, Mussel said:

I think your open-source project fits nicely in Cybersecurity subforum, do you think so?

Maybe .. Originally, I don't think of putting it into cybersecurity subforum. I suppose I can put it into cyber security subforum but if and only I learned something new..
 

1 hour ago, Mussel said:

PKI (cryptography?)

PKCS by itself was not complete.. That's why PKI was there to help PKCS to become "complete" .. However.., like I said, it's a "pick a poison solution" .. We are throwing "trusts" issues to other or we are facing our own "trusts" issues.. and PKI is something that fulfills this requirement as well.. 

The more you understand.. The more you realized that things aren't going to work that way.. In certain situations.., you have to choose between privacy and security.. There're situations that we don't need to do that as they both comes together..

Surprisingly based on what I understand.. If a service provider aims for creating privacy based solutions.., generally.. their servers are consider secure compare to public servers.. 

They won't be complete as there's always a missing link that can either be solve or can't be solve.. Time will tell.. 

  • Like 1
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...