trying now https://level1techs.com/system/files/audio/normal/GR7E9O0UiCY.mp3 I am past the 8 min mark but I need to allow random seeks on the mp3 so skipahead works
3 Likes
Yup, now it’s seeing (and downloading) a 60MB file.
EDIT : I started it and moved my slider to around 2/3 of the audio track, which made me listen to the GM/Waymo/Tesla self-driving thing around the 1h mark. Seems like it’s solved now.
Works now. Thanks buddy!
1 Like
So were all of those people on porn hub watching porn, or watching pirated content before the false alarm in Hawaii hit?
Also, Ryan brought up an interesting thing about insurance companies controlling peoples self-driving cars with Logitech gaming wheels. I wonder if it would be possible to hack a PC gaming wheel and pedals into a self driving car for manual control?
Or what about car thieves that can get into the driving software via WiFi or wireless or whatever and hijack the car with a PC and a logitech gaming wheel?
Appreciate the talk about PCI DSS compliance by @wendell @ryan as I’ve spent a chunk of my career working on complex eCommerce solutions — typically interfacing legacy (warehousing/logistics) backends with a modern site solution. It is super simple (as you know) to interface form input in JS.
What we’d need is a new browser API - ‘sandboxed’ input fields (does this exist, I haven’t checked?). So the browser encrypts the data, and the encrypted payload is sent to the backend - here’s a quick demo of that aspect -
Gist link: https://gist.github.com/bsodmike/4d25c4dc4407644127aea02aa558a2e1
# Copyright (c) 2018 Michael de Silva, CTO Secure Cloud Solutions (siliconcloud.tech) & Inertialbox (inertialbox.com)
# Blog: mwdesilva.com // Expertise: desilva.io // Twitter: @bsodmike
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
require 'psych'
require 'openssl'
class BrowserSimulator
def initialize(api)
@api = api
end
end
class SandboxApi
def initialize(encrypted_card)
@encrypted_card = encrypted_card
end
def decrypt_card(encryptor, iv, salt, password)
encryptor.decrypt(iv, salt, password, @encrypted_card)
end
end
class Encryptor
def initialize
@cipher = OpenSSL::Cipher.new 'AES-128-CBC'
@cipher.encrypt
@iv = @cipher.random_iv
end
def encrypt(payload, password)
salt = OpenSSL::Random.random_bytes 16
iter = 20000
key_len = @cipher.key_len
digest = OpenSSL::Digest::SHA256.new
key = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, iter, key_len, digest)
@cipher.key = key
encrypted = @cipher.update payload
encrypted << @cipher.final
{
iv: @iv,
salt: salt,
encrypted: encrypted
}
end
def decrypt(iv, salt, password, encrypted)
cipher = OpenSSL::Cipher.new 'AES-128-CBC'
cipher.decrypt
cipher.iv = iv # the one generated with #random_iv
salt = salt
iter = 20000
key_len = cipher.key_len
digest = OpenSSL::Digest::SHA256.new
key = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, iter, key_len, digest)
cipher.key = key
decrypted = cipher.update encrypted
decrypted << cipher.final
end
end
card = {
merchant: 'AMEX',
card_number: '1234123412341234',
name: 'Mr. Krzanich Meltdown'
}
puts "Card object (Hash), to be encrypted\n"
puts card
serialised_card = Psych.dump(card)
encryptor = Encryptor.new
password = 'e6279ea77e8aa17bd530d047d4a555e6c9708fffe90c248d9f818429e3e16b13'
puts "\n\nPassword used to encrypt card details: #{password}"
# Serialise card object to YAML first.
encrypted_hsh = encryptor.encrypt(serialised_card, password)
# This is only exposed here for POC's sake to be quick.
encryption_iv = encrypted_hsh[:iv]
encryption_salt = encrypted_hsh[:salt]
api = SandboxApi.new(encrypted_hsh[:encrypted])
puts "\n**** Transmit Encrypted card payload to backend\n #{encrypted_hsh[:encrypted]}\n****\n\n"
decrypted = api.decrypt_card(encryptor, encryption_iv, encryption_salt, password)
card = Psych.load decrypted
puts "Decrypting card payload\n"
puts card
When run this is the output-
-> % ruby secure_forms.rb
Card object (Hash), to be encrypted
{:merchant=>"AMEX", :card_number=>"1234123412341234", :name=>"Mr. Krzanich Meltdown"}
Password used to encrypt card details: e6279ea77e8aa17bd530d047d4a555e6c9708fffe90c248d9f818429e3e16b13
**** Transmit Encrypted card payload to backend
�~x�x !:<�Қ'XM;����%�3h����k���|�<��U���0��v��}�xeBКI���E�0T����}|�TH�P��-��*
****
Decrypting card payload
{:merchant=>"AMEX", :card_number=>"1234123412341234", :name=>"Mr. Krzanich Meltdown"}
The private key should be held client side. I wonder if this could work as I’m spitballing here - once the XHR request is done, the backend could make a websockets connection to the client offering the token, for the client to decrypt and return the “actual value”. I’d assume the “session” could help here to provide context, or storing some reference in say Redis etc.
Do bare in mind - I’m highly sleep deprived so I haven’t most likely thought this through fully.
TL;DR the current archaic mechanism leaves FAR too much room for client-side JS to interfere with JSON payload (or form-data) being POSTed to the backend and room for mutation needs to be rethunked.