• 0 Posts
  • 42 Comments
Joined 1 year ago
cake
Cake day: June 2nd, 2023

help-circle









  • Other comments here do a great job pointing to DH key exchange; I’d like to try explaining it with the paint analogy.

    You and Youtube need to agree on a “color of paint” (encryption key) without ever sending it over the network.

    You and Youtube agree on a common “yellow” in the clear, and you each pick a secret color. Youtube mixes yellow and their secret and sends it to you. This is okay, because un-mixing paint (factoring large prime numbers) is really hard. You add your secret to the mixture, and now you have yellow+Youtube’s secret+your secret.

    You mix yellow and your secret and send it to youtube. Youtube adds their secret; now they’ve got yellow+Youtube’s secret+your secret. You both have the final color!

    An eavesdropper can’t reconstruct this - everything sent over the network had yellow mixed in, and un-mixing paint can be really hard. Maybe you can guess that green minus yellow is probably blue, but you can’t get close enough to decrypt anything. And what if it’s brown? Is that blue + orange, or is it red + green?

    Cryptographers have worked very hard to make the communications secure. I would be more worried about the other end ratting you out - using a relay / proxy / vpn that you trust is a good idea :)




  • When dealing with children, the “oreo cookie” method works well - start with something nice, offer a “suggestion for improvement”, and then finish with something nice as well.

    You’ll want to submit the politically correct version through official channels for traceability. After it’s submitted there, you can give a copy over slack. Don’t let anyone make any claims about what you supposedly said over slack dm. Leave a paper trail.

    You’ve already been PIPed, so they have reason to look at you. Play nice and check the boxes; I would do the feedback even if the submission is entirely “yeah it was fine” level bs.

    All of the above is playing it safe. Offer to provide additional feedback / “discussion” over a voice call as well, and ask what they’re looking for. If they’re building a case against your former manager, you can be honest.

    If they just want “general” feedback, or they want it over text (“no time for a call”), or there are multiple people in the room, or the call is being recorded, then fall back to the politically correct version you already submitted.

    Your nuclear button is to claim the PIP was retaliation for (something; you can make this up, just make it realistic), but you don’t press that button unless you’re about to be fired. It makes things extremely complicated.

    I really hate office politics, but half of being promoted is knowing how to play this stupid game :(



  • It is not too hard and you can definitely do it! It’s like a puzzle - you will get stuck at times, but if you keep going then you’ll get there.

    APK files are just zip files, so you can unzip it to see its contents. From there, a java de-compiler get you a version of the source code. It will have random variable names and no comments, so it will take some digging to find and reverse the api layer.

    Or, who knows, you could get lucky and find an openapi spec file and auth.txt. Worse apps have been developed.


  • Hey! Best of luck, I’m actually going down the same road at the moment :)

    I would build it yourself - it’s more fun, and is cheaper than renting over a shorter-than-you-would-think time period.

    The first thing to know is whether or not you can port-forward / if your isp has you behind nat.

    Exposing virtual disks is relatively straightforward, or even just storage quotas on a single disk. I’m about to jump into the wide world of zfs; I need to glue together 4+ disks into a single storage array.

    If you want everyone to have a separate VM, you’ll need some kind of hypervisor underneath. Could you grant everyone a user account in a single system, and use docker for separation?

    It sounds like the others will be connecting remotely - make sure you use ssh keys (not passwords) and disable root over ssh. Once ssh is exposed to the internet, you’ll see a lot of failed login attempts