Highest Voted Questions - IT Security Stack Exchange

40

votes

4 answers

Is generating random numbers using a smartphone camera a good idea?

Forgive my ignorance on the subject, but I wish to know more and asking (stupid) questions are one way. I was reading http://www.random.org/randomness/ and this idea popped into my head (before the bit about lava-lamps) Considering the…

random

asked Sep 14 '13 at 10:31

ian

1,302
11
21

40

votes

1 answer

Consequences of tampered /etc/ssh/moduli

What are the consequences if an attacker is able to modify the /etc/ssh/moduli file?

cryptography ssh backdoor

asked Sep 06 '13 at 15:38

vergoglio

403
1
4
5

40

votes

6 answers

Secure Linux Desktop

I'm looking for hints about secure linux desktops. Securing servers is no problem. Most recent Software Updates, run only the services required etc. But what about desktops? I'm thinking about details like Noscript for Firefox. ASLR, PIE and similar…

operating-systems linux hardening desktop

asked May 27 '11 at 17:29

chris

401
1
5
3

40

votes

5 answers

Client-side encryption, but cloud service can still decrypt data in the event of a death? Is this possible?

I've been worried about this password manager, PasswordBox that seems to be gathering quite a bit of steam lately. They seem to have raised VC funding and are offering a free password management and storage tool. Their team does not seem to have…

encryption privacy client

asked Jun 12 '13 at 15:01

Mallory

401
4
5

40

votes

6 answers

How do I safely inspect a suspicious email attachment?

I received a pretty blatantly spammy email to my Gmail account. Attached to the email is a supposed HTML file. My first hunch was that it was probably one of the following: A nasty executable file masquerading as a simple HTML file, or An actual…

malware email spam

asked Mar 20 '13 at 15:38

lsdfapoinsafpr

503
1
4
6

40

votes

1 answer

TLS: RC4 or not RC4?

I was reading another interesting article by Matthew Green today, saying that if you're using RC4 as your primary ciphersuite in SSL/TLS, now would be a great time to stop As far as I'm aware RC4 has been up'd on the list of ciphersuites to…

tls beast cipher-selection rc4

asked Mar 12 '13 at 21:45

Yoav Aner

5,299
3
24
37

40

votes

6 answers

Software vendor refuses to fix security vulnerability - what to do?

I work as a consultant for a large corporation that uses some software, in which I have found a security vulnerability. I notified both my client and the software vendor about a year ago. They referred the case to their account manager (!), who (in…

disclosure

asked Sep 06 '22 at 16:59

TravelingFox

433
2
7

40

votes

9 answers

Why don't people hash and salt usernames before storing them

Everyone knows that if they have a system that requires a password to log in, they should be storing a hashed & salted copy of the required password, rather than the password in plaintext. What I started to wonder today is why the don't they also…

passwords cryptography hash password-management salt

asked Dec 13 '12 at 11:48

Grezzo

632
1
6
12

40

votes

5 answers

How can you trust that there is no backdoor in your hardware?

We know that Intel processors have one (ME) so it is definitely possible. In general, how could you even trust a piece of hardware like a CPU or network card, even if the manufacturer says there is no backdoor? For software, it is easy since you can…

hardware backdoor

asked Nov 25 '20 at 22:16

MasterYi

403
3
4

40

votes

2 answers

Why is there no web client for Signal?

I’ve read about E2EE (end to end encryption) of Signal in web clients on a Signal Community discussion forum, and wonder why they say that the browser is insecure for E2EE and native apps are secure. I think the security issues for clients are the…

man-in-the-middle javascript secure-coding end-to-end-encryption signal

asked Sep 06 '20 at 07:59

SeyyedKhandon

517
1
4
7

40

votes

8 answers

What is the attack scenario against which encrypted files provide protection?

There are a couple of files / tools which provide file-level encryption. I guess PDF and ZIP are probably the most commonly known ones. I wonder what scenario they actually help with or if it just is a bad solution. For example, if I want to be sure…

file-encryption

asked May 10 '20 at 11:26

Martin Thoma

3,902
6
30
42

40

votes

4 answers

Should I be using ECDSA keys instead of RSA?

I read on ssh.com that there are new ECDSA ssh keys that one should be using to create the public / private key pair; and that's it's a US Government Standard based on elliptical curves (probably something mathy). I also noticed that they use fewer…

ssh ecdsa

asked Apr 28 '20 at 17:32

leeand00

1,297
1
13
21

40

votes

8 answers

Are all USB-based attacks dependent on being able to inject keystrokes?

From what I've seen, USB-based attacks such as RubberDucky need to be able to open a terminal and then execute commands from there, usually to download and then install malware or to open a reverse shell. Is this how most, if not all USB-based…

hardware badusb keyboard

asked Jan 23 '20 at 10:20

user942937

983
8
14

40

votes

7 answers

Security risks of user generated HTML?

I am creating a website that allows people to upload HTML content. Currently these are the tags that are banned:

Most Popular