Highest Voted Questions - IT Security Stack Exchange

48

votes

2 answers

Who owns the gpg key 4AEE18F83AFDEB23 and how did it sign a commit in my GitHub repo?

This commit in my GiHub repo is signed by a key I don't recognize: https://github.com/jonathancross/jc-docs/pull/2/commits/124672699991af75dd2454831670758f08bc74ab What is going on here?

gnupg code-signing openpgp github

asked Nov 14 '17 at 20:38

Jonathan Cross

1,618
1
13
25

48

votes

5 answers

Is laptop "secure sleep" mode theoretically possible?

For laptops with full disk encryption or home folder encryption, one of the risks if it is stolen while in sleep mode is that the encryption key is stored in memory and can be read if an attacker knows how. To me, it seems that, in theory,…

disk-encryption

asked May 26 '17 at 14:05

Peter Rankin

591
4
6

48

votes

5 answers

How often should an SSH key pair be changed?

I've been using a 1024-bit RSA key for passwordless SSH between my own systems for years. More recently I've also started using it for passwordless access to my hosting providers and to source code repositories. Is using the same key pair for an…

ssh

asked May 15 '12 at 13:51

Tim Lesher

593
1
4
6

48

votes

2 answers

How do I use Markdown securely?

How do I use the Markdown library safely? What do I need to do to make sure that its output is safe to include into my web page? I want to allow untrusted users to enter content (in Markdown format). I'll use the Markdown processor to generate…

appsec web-application xss

asked May 06 '12 at 03:51

D.W.

98,860
33
271
588

48

votes

2 answers

What to do when using your private key from another computer?

I'm going to be connecting to one of my servers from my boss' computer (Win 10) using PuTTY. In order to do so, I'll be using my private key. Is there anything I should do before/after to prevent my key from being stolen? My plan was: Install…

privacy ssh putty

asked Dec 22 '16 at 15:13

sysfiend

2,374
4
14
22

48

votes

9 answers

How should high net worth individuals secure their financial accounts?

I try to follow account security best-practices (strong random passwords, password manager, multi-factor authentication, etc.) but I still find myself worried about potential compromises to my accounts, in particular financial accounts (e.g., banks,…

financial persec

asked Jul 27 '16 at 16:03

Logical Fallacy

725
8
12

48

votes

6 answers

Why don't OSes protect against untrusted USB keyboards?

Lately I've been reading about things like BadUSB and RubberDucky which are essentially USB sticks that tell the computer they are a keyboard. Once they are plugged in they "type in" whatever commands they were told to execute. My question is, why…

badusb

asked Feb 04 '16 at 14:47

trallgorm

885
7
19

48

votes

3 answers

Why would the government collect Wi-Fi SSIDs via manual door-to-door questioning of citizens?

I live in a country with little freedom on the Internet (not as strict as in China, but some sites, particularly anti-government sites are inaccessible without a VPN). Recently the government just went collecting the Wi-Fi names of every house. I…

wifi government surveillance

asked Dec 14 '15 at 11:12

Ooker

1,529
1
13
17

48

votes

3 answers

Docker as a sandbox for untrusted code

I have created a web application that among other things allows users to write, compile and execute code (Java, C#). The application creates a Docker container for every user where compilation and code execution takes place. I have taken the…

sandbox docker

asked Dec 11 '15 at 10:28

Hartger

591
1
5
7

47

votes

11 answers

Why are ransom attacks successful?

I just read that "ransom" attacks are on the rise - where the attacker uses a vulnerability to enable them to encrypt files and demand money for the key. Why is this any different to a disk failure, where the solution is "get the backup"?

ransomware

asked Aug 06 '15 at 23:29

GreenAsJade

1,021
1
9
10

47

votes

3 answers

Should password reset tokens be hashed when stored in a database?

Passwords are hashed so that if someone gains access to a database of passwords then they won't know what the actual passwords are and so they can't log in. If I can get a valid password reset token however (the kind which would be emailed to a user…

passwords hash password-management password-reset

asked Apr 26 '15 at 16:01

Ian Warburton

1,167
1
10
16

47

votes

3 answers

Is Git crowdsourcing cryptographic attacks?

A strong cryptographic hash makes collisions unlikely. Many cryptographic protocols build on that fact. But Git is using SHA-1 hashes as object identifiers. So there are a lot of already computed hashes out there in the public Git repositories of…

cryptography protocols sha

asked Dec 12 '14 at 10:27

MvG

745
5
10

47

votes

8 answers

What are some considerations before moving personal data to Google Drive?

I am considering uploading some (all) of my digital personal data to Google Drive. I guess this would instantly grant access for NSA to my data. (Is that right?) Who would have access to my data on my gDrive? After deleting some files on the Drive,…

privacy cloud-computing google storage

asked Jul 07 '14 at 08:16

gen

1,680
3
18
18

47

votes

6 answers

"Real" Salt and "Fake" Salt

During a Q&A period at DEFCON this year, one member of the audience mentioned that we're using "fake salt" when concatenating a random value and a password before hashing. He defined "real salt" as something seen in the original Unix crypt…

cryptography passwords hash password-management salt

asked Aug 09 '11 at 13:32

Jeff Ferland

38,170
9
94
172

47

votes

4 answers

Determine if private key belongs to certificate?

Given a certificate¹ and a private key file², how can I determine if the public key on the certificate matches the private key? My initial thought was to simply encrypt some text with the public key on the cert, and attempt to decrypt it with the…

cryptography openssl x.509

asked Apr 26 '14 at 03:11

Thanatos

1,056
2
10
16

Most Popular