In simple layman’s terms, what is the Heartbleed Bug in OpenSSL?
The bug itself is pretty technical so let's break it down from the top The Internet The modern web is powered by a set of protocols (rules and formulas that describe how to exchange data) whichputers use to talk to each other. HTTP is the protocol that powers websites it's how your browser asks for a webpage and a server somewhere sends you that webpage and all the s 85 27 How SSL works Encryption is done by using something called keys thate in pairs. These are special files that can only decrypt stuff that's been encrypted by the other. There's a public key which yourputer gets and a private key that only the server has. This way only you and the server can read each other's messages and they can't be intercepted by anyone else. 1 OpenSSL Remember SSL is just a protocol so there still has to be software that actually uses these rules and letsputers talk. The most popular software is called OpenSSL an open-source project that's used on lots of servers (and lots of devices like your internet router and mobile phone). What is a heartbeat? Connections over the internet take a time and processing power to set up when you first use them so we try to avoid repeating that by keeping things alive. This means sending a tiny bit of data to let the otherputer know that you're still on the line and not to close the connection. In SSL this feature is called the heartbeat (hence the name heartbleed). The bug When yourputer sends a heartbeat to the server it delivers a little bit of data (called the payload) and a number describing how big that data is (in bytes). The server then responds with the exact same thing by storing your message in memory then copying it out and sending it back to you. It knows how much to copy and send back because yourputer told it how big the message was. Unfortunately in certain versions of OpenSSL the heartbeat feature had a bug in one single line of code which didn't check if the size you claimed was actually the size of what you sent. This meant you could send a tiny bit of data (just 1 byte) and claim it was a lot bigger (up to 65536 bytes). Without this security check the server just goes ahead and takes a big chunk of memory and sends it back to you thinking that's what you sent it originally. You can probably see the problem here since you get back information that contains stuff that you didn't send and because this is easy to automate an attacker can start to download lots of these chunks and get good look at what's in the server's memory. It can be passwords the server is processing as people are logging in it can be emails and billing info or in the worst case scenario it can be the copy of the server's private encryption key. If someone gets their hands on this they can start looking at any of the data being sent between the users and the server without them knowing. This is obviously really bad. The impact The fact that there's no actual hacking involved here other than changing what you send to the server (which very easy to do) means that this attack is practically undetectable during the 2 years that this bug has existed. 2 A lot of sites out there have OpenSSL running somewhere so it's a big target for attacks but updates are happening rapidly. There haven't been reports of any major breaches but again it's hard to even know it happened. OpenSSL is also used in lots of other things like business software smartphones and other devices so there's that whole angle that hasn't really been analyzed yet. The fix For anyone operating websites they will have to upgrade their OpenSSL software and install new SSL keys (revoking the old ones) to cover all possibilities. There's not much the average user can do. Changing your passwords is rmended and should be done once the service you're using has updated their software (all the major sites have by now). Also anyone using Chrome should make sure that the Check for server certificate revocation option is checked in their browser settings. Any apps on your desktops tablets and phones should be checked and kept up to date as well during the next few weeks. This is a simplified explanation of how it all works and is notpletely precise or accurate on the technical details for the sake of understanding. Please read the s below if you're interested in learning more. italic The official Heartbleed Bug site with a good Q&A. Video explanation by Elastica OpenSSL Heartbeat (Heartbleed) Vulnerability (CVE-214-16) and its High-Level Mechanics For more technical details Troy Hunt user 1596918 has a great blog post Everything you need to know about the Heartbleed SSL bug . SSL (Secure Sockets Layer) is an outdated name and design the modern name is actually TLS (Transport Layer Security) and uses TLS v3. 1 TLS keys actuallye from certificates that are purchased from trusted vendors. The vendor checks your credentials when you get the certificate so that when you install it on your server a visitor's browser will see that it's been verified by this vendor and is the right server. Also these keys are only used once to generate a new key that's smaller and used for everything afterwards. This is all based on the magic of Public-key cryptography . 2 Network traffic analysis can reveal attacks by checking the order of heartbeat signals (if they happen before the TLS authentication handshake) if they occur at non-standard intervals or if the server has responded to heartbeat requests with very large responses. Advanced firewalls can also check current traffic by inspecting packets to see if the payload size matches and edit or block bad requests.
What is Keybase in layman's terms?
Identity is a hard problem. When two people meet in person they can observe hard-to-fake attributes face body shape voice hairstyle of clothing and preference for Star Trek or Star Wars for example and remember them to recognize each other later. Recognizing someone is moreplicated when technology is involved There no face-to-face. When you send an email yourputer hands it off to your email provider which relays it to the recipient's email provider and maybe later to their screen. An SMS goes through the phone network in a similar way. There's no way to know if the recipient's email provider has been hacked or if they have a new phone number and the old one was assigned to someone else. Keybase's solution is to represent an identity as a series of statements. (Nothing stops one person from having multiple separate identities on Keybase.) Statements might say I exist! This device (phoneputer) is me. Each statement references the last one which prevents Keybase from leaving any out maliciously (like the last statement above). When someone adds an online account to their identity they also publicly post a back to their Keybase account. This stops anyone from claiming someone else's online accounts as their own. All of the posts and statements are checked by Keybase whenever two peoplemunicate. The checks are done by sender's and recipient'sputers not Keybase's servers and the program that does the checks is open source so that anyone can verify that it works. Eachputer (or phone or tablet) ed to someone's Keybase identity has an encryption key and when someone sends a message it gets encrypted for all of the recipient's devices. If someone loses a device then they post a statement which removes it from their Keybase identity. Everyone who talks to them will automatically stop encrypting future messages for the lost device. So to summarize Keybase lets you do two things Tie together online accounts in a way that makes it obvious if one of them gets hacked. Keep separate encryption keys for all of your devices so that your contacts automatically stop encrypting messages and files for a device you no longer have. Keybase also recently announced KBFS a file storage and sharing service which lets you for example safely send a file to someone knowing only their Twitter handle. All of the same checks happen automatically and the file is encrypted so that it can only be read on one of the recipient's own devices.
What are some good summer projects for computer science students studying in an Indian engineering college?
Thanks for A2A Working on projects is the best way you can spend your summer being aputer science student. Projects are the best way to enhance your skills in any programming language that youre willing to learn. . DID YOU KNOW?n Python is currently the most demanded programming language on the planet. italic The projects that I am gonna share with you will help you to get your skills whet in the respective technology.n All these projects are definitely worth your time. . GOOD NEWS!!n All these projects are specially handpicked and designed by industry veterans. italic . So here aplete package of Top Class projects of all the latest cutting-edge technologies .n Being a CS student you simply cannot afford to miss these. . PYTHON PROJECTSn Python is currently ruling the IT world. Python programmers are among the most demanded professionals across the globe. And the best way to get familiar with this language is through working on some real-time projects. When you start working on these projects youll have an idea about the versatility of Python and why is it so popular these days. What are some good projects in Python? I have to submit a college project. italic s What's the coolest thing you've done with Python? italic s . Also read- What is the best way to learn Python from beginning to advanced? italic s . italic . . DATA SCIENCE PROJECTSn Data Science the hottest buzzword as well as the sexiest career option of this generation is probably on everyone mind. Doing a Data Science project as your summer project will be a boss move. This will also open the doors for bing a Data Scientist. What kind of Data Science side projects are suggested for an Undergraduate student? italic s What are some good data science projects for CS students? italic s . Data Science career on your mind? n YES it is. italic What is a data scientist's career path? italic s . . R PROGRAMMING PROJECTSn R programming language is on of the most preferred choice of language for Data Science second only to Python. If you really aspire to be a Data Scientist someday then R programming is possibly the easiest way to do so. R programming language is a kind of language that even a person from non-technical background can learn easily. What projects can I do in R? italic s . Do give it a read. What is the best way to start learning R? I would spend money on a course but would obviously prefer a free resource. Im familiar with Java. italic s . . MACHINE LEARNING PROJECTSn The future is all about Machine Learning. Machine Learning is probably the most exciting filed of this era. this field is also about making the machines learn with an aim to make them more and more intelligent. If Machine Learning is an art and these projects will surely make you an artist. What are some decent machine learning projects that can be done by a beginner in a week? italic s . Do not miss out on this. What are some of the most interesting examples of machine learning applications most people would never think of? italic s . . DEEP LEARNING PROJECTSn A branch of Machine Learning that is equally important. Deep Learning is probably the most prominent technique in the field of Machine Learning. These projects will let you dive deep into this field and enhance your skills to another level. What are some of the best deep learning projects that you have personally worked on? italic s . . ARTIFICIAL INTELLIGENCE PROJECTSn AI is probably the most fascinating field of this generation. A field that does wonders almost every day. Artificial Intelligence is more about practical approach rather than theoretical approach. You must focus on these projects if you aspire to be an AI expert. What are some good projects in artificial intelligence that a beginner can start with to take his skills to the next level? italic s . Do give it a read. What is the best application of artificial intelligence? italic s Will AI take over humans one day? italic s . . IoT PROJECTSn These projects are a sure shot way for bing a pro in one of the most fascinating fields of this century-IoT. Because it's your time to experience a roller coaster ride of IoT. What are some project ideas based on IoT (Internet of Things) for CSE final year student? italic s . . I hope you now have enough options for your summer project. Do Practice Happy Learning!! Please UPVOTE and SHARE if you liked the content. For more such interesting answers do Follow - SHAILNA PATIDAR user 395381842
How is a computer virus detected by an antivirus software?
As we be more connected with the internet so do we be more vulnerable to malwares and viruses. And we all know that the most reliable antivirus available in the market is The Amazing Antivirus. Recently I had the opportunity to have an interview with him. He is a very reserved personality but I was able to ask him a few questions that would feed our curiosity about how he and other antivirus programs work. Me First off could you tell us what exactly you do? The Amazing Antivirus (TAA) Isn't that obvious? My job is to protect yourputers from Malware Trojans worms and Viruses. That's pretty much what I do. You see over the years with technology booming even I had to learn new ways to protect your systems. I still need to learn everyday but I assure you that you won't find anyone else better than me out there. n Me Ha-ha. We know that TAA. That's why I'm interviewing you italic . We need an expert's point of view here. Tell us. How do you Detect most threats that ourputers face? The Amazing Antivirus Let me tell you the easiest way this could be done. I have a side-kick you see. He keeps a database of virus definitions. Everyday he profiles new viruses and adds it to the database. This database makes my job easier. To be honest I'm always italic running inside your PC. When you open a game play a song watch a video etc. I'm always on guard! It may seem that all files open immediately but they don't. They have to go through me first. I check each and every file before I let you open them. I would know if a file is a virus because I run their signatures through the database. And If I find a match they're done for. I delete or Quarantine them immediately. I scan each file against the database stored either locally or in the cloud to determine if they are infected. italic Me Seems like a flawless plan! The Amazing Antivirus really. See there's an obvious problem here. I would not identify a malware if it is not recorded in the database. I risk negatives. italic And that's a major problem. You can say that I can update the database everyday but still I cannot remove the possibility of negativespletely. I may have great attacking power but the viruses nowadays have defense mechanisms of their own.n Armor They can have meaningless code that makes it difficult for me to scan them properly. Stealth Some malwares can provide legitimate looking data when a process requests for information. An example is the Brain virus of 1986. Encryption The malwares can encrypt their code to prevent detection. Oligomorphism It is possible for me to detect if an encryption has taken place by studying the encryption routine. But some malwares are able to change the encryption routine itself and create mutations. This makes it extremely hard for me to detect them because even if I have their signature in the database they can mutate themselves to change their signature so I cannot detect them. If a malware can change itself twice in this regard they are oligomorphic. If they can do this three to unlimited number of times they are polymorphic. n Mutated known malwares are not detectable accounting for negatives. italic Me So how have you adapted to this? The Amazing Antivirus I felt that rather than relying on file signatures I look for general malware characteristics in files. This is what is called Heuristic Scanning italic . I can look for code that can possibly exploit userdata or check if it has code to steal cookies off your browser. Me Ahh! That would save you the problem of negatives doesn't it? The Amazing Antivirus Again not entirely. There is only a limited amount of malicious behavior I'm aware of. I need to be updated with new malicious behaviors everyday. Also It brings positives italic ! I can wrongly detect programs that are meant to do what they do! And this process of checking for malicious code is slower than scanning the signatures of the files. Me And there's no solution for this? The Amazing Antivirus Actually I can allow them to run to see if they are behaving maliciously. I can always attach myself to processes. And if I detect anything trying to scrape data off your system for example by tracking keyboard strokes I'll know for sure that they are malware. And I can destroy them with my bare hands. Me But what's the use if you are allowing them to run anyway? What if they behave in a way you aren't aware of? The Amazing Antivirus Good Question! I have a trick for that you see. I let them run in a sandbox italic . It is a virtual environment where the program is allowed to run. It is unaware of this and believes that it is running in the environment it is supposed to. The Sandbox lets me run suspicious files in a controlled environment. italic Give someone a little privacy they almost certainly would show their colors. And most malwares that run in the sandbox helps me detect their malicious behavior. Your actual system is never harmed! Me Whoa! That is absolutely awesome! Wouldn't this require a lot ofputational power from my system though? The Amazing Antivirus Yup. It kinda does. But trust me if your system is connected to the internet I can use the cloud to determine if a file is malicious or not. I send the file's relevant details to the cloud engine and it runs the tests on its side to determine the usability of the file. With cloud based scanning italic you reduce client side load and can use the best virus detection mechanisms available. Me You are certainly the best! How do other antivirusespare with you? The Amazing Antivirus Over the years I've learnt many techniques and I feel that many antiviruses use them too. I use a multi-layered approach when scanning for viruses. It is abination of all the mentioned methods. And this is the only solution to ensure that all malware new or old are taken care of. To be honest I feel that I am the best Antivirus in town others are just phoneys! Me We agree to that! Thanks for the interview TAA. That was enlightening! We're out of time and we can certainly catch up a later time! The Amazing Antivirus Well I'm glad to be of help. See ya!n horizontal-rule Me You can check out this article s for further reading.
How do I make a script that can auto-login to a site every time period?
I'm going to try and ex what is required for this task regardless of which site you want to log into. 1. There's amand language interface called c. This interface allows you to call web addresses frommand line be it Windows or Linux (Mac is Linux based). Make sure you have that. The official C page is cURL - How To Use but the Web is packed with tutorials and Q&A in the . Go to the site you want to login to and look at the html of the form which is being submitted. In Windows using Chrome or Firefox click on Ctrl-Shift-I to pop up the hood under the page. There's a tab called Network. Click on that.. Submit the form. You will see that a new line is created representing the page that was called when you submitted the form. The inspector lets you see everything about the call you just . You want to see if the form was submitted using the POST method (more likely) or GET (notmon but not impossible). You also need the names of the variables (the fields) that were sent. The values of the fields might be encrypted but we assume you know the values of the username and password (and anything else). n5. Try and see if the form was sent in any specific format. Sometimes the server expects a simple call with a list of keys and values and sometimes it expects a JSON document. It's important to know what it expects so we can prepare the page before . Now that you have all the different parts of that form - create a cURL statement specifying all these parameters. Use online help to understand how to construct that statement. It can be tricky and will probably take a number of trials before you get it right. n7. Figure out how to make cURL get it's parameters from a file so you don't need to write the whole line every time. You might find that writingments can help. I've given very broad gelines and left as many details as possible for you to figure out on your own - this practice is very important if you're going to interact with external web sources. This is the fundamentals if RESTfulmunication. Good Luck!
What is the most recommended website that you use to protect your message by encryption before send it to another person or people?
The only websites I trust to encrypt my data use the rot13 cipher. (There are quite a few that do this.) This is a Caesar cipher variant where every letter is rotated 13 letters in the alphabet (A-N B-O C-P etc.). Im sure youre thinking that this doesn sound like a very secure cipher. It isn. But if Im going to a website to encrypt my data I don need a secure cipher because my data isn safe once I post it on a random website. If you want to encrypt data use an encryption program like PGP.
How is data that is sent across the internet secured (so other people don’t know what you sent)?
Most of it isn. A very large amount of network data still travels unencrypted. To really answer this we need to talk about a concept called a threat model. Your threat model is a description of which attacks and what level of attacker you like to prevent. In the physical world you might use a lock an alarm a safe a bank vault depending on the value of the item being protected and the capability of the person trying to steal it. In the internet world there are four basic technical threat levels (over simplified) Passive local. Somebody listening on your internet cafe wifi your home lan or you ISP system. Active targeted. Somebody who wants to hack you specifically. The Stuxnet attack on the Iranian nuclear facilities. A hacker who has is specifically after you who might send a targeted email (spear fishing) There is also a 5th factor legal coercion a court order forcing one of more parties to disclose your data. Most internet security is aimed at stopping #1 and #2. s websites (often called SSL but more correctly called TLS - transport level security) encrypt the connection between your browser and the website you are talking to. It will stop somebody listening in between and seeing what to send or receive. It won stop them from knowing which website you are connecting to and it might not stop them known which pages you are looking at if they analyze enough traffic over time. TLS is also used to secure most (but sadly not all) email connections between servers. It by far the mostmon security protocol on the web. A VPN (virtual private network) can be used to protect you from some threats. If your VPN server is securely connected to the system you want to talk to then you can protect your traffic from interception. Most VPN use is actually much less secure than that. The reason is people use a VPN to hide their traffic from local interception by their ISP or the the guy at the next table in the cafe. Once the traffic gets to the VPN server it exits and behaves just like any other traffic as it travels to its destination. If somebody can listen to the VPN server exit node (hint assume the NSA can and is) then the VPN is really not helping. Apps often either use TLS or something app specific that provides end to end security (that is servers in the middle can listen in). Signal is good example of a chat app that does this. Now if youre dealing with an active targeted or global passive adversary you have a much bigger problem. They only have topromise one part of the chain often something outside your control. If it a government entity they may well use legal leverage to force thatpromise. They may even build apromise into the hardware (there is a reason the US government has banned certain Chinese tel equipment makers). For example if you use a secure app like Signal but backup your phone to iCloud then the government can force Apple to disclose your messages (this happened to Mike Manafort) Then there are bugs. Security is notoriously hard to get right even encryption protocols like AES which are considered secure can be broken is protocol the are used in is badbadly implemented or the keys used are poorly chosen (not random). Lastly human factors. People pick bad passwords write them down tell them to people on the phone leave holes in system they don think are important (Target waspromised via the HVAC system). So your data is mostly secured by TLS and that mostly protects you from the level of threat most people face. It doesn really hold up too well if you are being specifically targeted particularly by a government.
I am using PHP to upload a file. How do I encrypt a file before uploading and decrypt before downloading with a password?
PHP has nothing to do with this because if you want the file encrypted before uploading then you have to do it. Fortunately Zip files support encryption (and decryption of course). Here's an article covering this How to Create Encrypted Zip or 7z Archives on Any Operating System If you use WinZip to create the zip files here's an article showing how to do it How do you encrypt files in a Zip file with WinZip?