Can you avoid ever password to be sent on the wire?

Let’s say I want to secure authentication on a web app or a mobile app or even a machine to machine app.

My first approach to secure the password is to enable HTTPS and some sort of client side message level encryption of data to be sent on the wire.

So I’m starting to think that since MITM could help circumvent HTTPS and discover at least an encrypted password, there is maybe no way to truly protect a password.

So I was wondering (not considering VPN here), if a user submitted data (ex : password) on the wire is ever secure ? Or if there exists a way to to never submit password on the wire ?

How to avoid too much RAM memory usage

I use Ubuntu Studio 18.04.3 with additional backports PPA to get LTS.

I want to use “xLogo”, a Java version of the old Logo Programming Language, to get 3D figures in the screen.

But, when xLogo is working, I get a message about it is using almost the 90% of the computer RAM memory.

And I can confirm this is true, because the System Charge Monitor shows me the same thing: RAM Memory at 90%!

How can I get xLogo “eats” less RAM memory?

BTW: The System Charge Monitor is always shows me that my RAM Memory is around 60% to 65% used. Is it a normal value? Can I get more free RAM Memory? How?

Are there effects where holding your breath allows you to avoid them?

As suggested by one of the answers to this question on holding breath, there can be situations where damage may be able to be avoided by holding your breath.

A creature can hold its breath for a number of minutes equal to 1 + its Constitution modifier (minimum of 30 seconds).

When a creature runs out of breath or is choking, it can survive for a number of rounds equal to its Constitution modifier (minimum of 1 round). At the start of its next turn, it drops to 0 hit points and is dying, and it can’t regain hit points or be stabilized until it can breathe again.

Consider cloudkill:

When a creature enters the spell’s area for the first time on a turn or starts its turn there, that creature must make a Constitution saving throw. The creature takes 5d8 poison damage on a failed save, or half as much damage on a successful one. Creatures are affected even if they hold their breath or don’t need to breathe.

And stinking cloud:

Each creature that is completely within the cloud at the start of its turn must make a Constitution saving throw against poison. On a failed save, the creature spends its action that turn retching and reeling. Creatures that don’t need to breathe or are immune to poison automatically succeed on this saving throw.

The wording is a little confusing, does holding your breath count as not needing to breathe for purposes of potentially avoiding damage? What are the situations where holding your breath will allow you to avoid taking damage for the duration of your ability to hold your breath?

How can we avoid the Facebook SDK? General: Trusted forge for Android apps?

I know that privacy is dead etc, but I saw a presentation (Link: )about developers of Android apps using the Facebook SDK for whatever reason in their development of applications. I was stunned and angered by the amount of data that FaceBook exfiltrates from user systems. This information is sent to FB even if the user has never had a FB account, never visited the site, never even heard of FaceBook. And so forth.

What I want to know is this: how can I avoid applications developed using the FB SDK? I am totally prepared to abandon the Google Store.

This would probably require an app store like F-Droid with a different security posture than say, the Google Play store. But there as well, I do not see options for isolating apps by SDK. Obviously, if those apps are OPEN open source, then I could go through the source code. I cannot be the first to have this concern, of course. Yet searches are largely swamped by questions of how to apply the SDK rather than avoid it.

So the FB SDK is just a particular case of a larger question — is there a trusted forge for android apps? I’m not against using Copperhead or similar (de-Googled Android), but I would like to sever that issue from apps themselves.

Confession — I’m hardly a privacy-focused person, having been a loudmouth online since the early nineties. But FaceBook’s exfil of data is simply breathtaking, as it occurs effectively without consent*, and without notification*.

  • It may legally be consent to have me click through a EULA that says “We may share some data”, but this seems inappropriate to the scale of what is being exfiltrated. Key point — this is not as result of using Facebook’s site or app, but of nth-party developers using Facebook “protomatter in the matrix”.

Alright, I am sure I am asking this wrong, and formatting it wrong, etc. Corrections gratefully accepted. Believe me — my goal is to help get an answer to this question on the record here.

This sounds promising — intercepting calls made by the app to the FB API domain(s): Intercepting HTTPS Android app traffic

How can I avoid getting exposed while travelling to Russia?

I am a Japanese student learning the Russian language and will soon travel to Russia to have a kind of internship or training.

I have a security concern and a background to it. The background is that I actively participated in Internet discussions on the Russian social network under a fake name and made many provocative posts there, so a number of people explicitly wrote there that they would do their best and utmost to find my real identity and make it public. My posts are definitely of no concern to police and were not even deleted by the admins, but quite a large number of people got really agitated as my posts were about politics, religions, cultures, and similar sensitive stuff and written in a provocative manner. I cannot afford getting my real name publicly associated with those posts, but I did not see how people could find my real name, so I even made some posts saying they would not be able to find my name.

Some time ago one Russian sent me a message telling me he had discovered my real Japanese IP addresses, and he told me some of them. Although I had not used any proxy servers to make my posts, I got shocked, because is not supposed to share my IP addresses with anyone. The guy then wrote he had been able to find my IP addresses because he works in a Russian company that has access to a lot of data related to the use of the Internet in Russia. He added that he had somehow tried to find my real name based on my Japanese IP addresses, but had not succeeded. Indeed, my Japanese IP addresses do not give any leads, and no Japanese provider will tell my name to Russians.

Now I am travelling to Russia and intend to use there the same laptop I used to make my posts; I will be given an Internet connection in Russia and, in view of what the guy told me, will obviously need to avoid any possibility of leaving any traces in Russia that could link my Russian IP address with my past posts. The reason is that knowing my Russian IP, people might find my real name by contacting my Russian hosts. Ideally, I would like to continue using the same account in the social network to make posts while staying in Russia.

My question is this: What should I do to meet these needs?

I am asking because I know little about such security matters and, in particular, what kind of information is collected from my laptop by Internet providers and servers such as, so I am afraid to even connect my laptop to the Internet in Russia. I humbly hope that security experts of this SE could kindly instruct me how I can safely use my laptop in Russia without any risk of getting exposed in relation to my past posts made from Japan from the same laptop, given that at least one Russian who wants to find my real identity may have access to any data related to the use of the Internet in Russia.

How to avoid restarting nginx to renew letsencrypt certificate?

I have installed a Nginx server to host my website, and added HTTPS with LetsEncrypt.

The problem is every time the certificate expire, my site become inaccessible and I need to manually restart the service using So every two months or so I am forced to manually do a:

sudo service nginx restart 

I tried automating that several time already but failed. My last attempt was using this:

sudo crontab -e   0 0,12 * * * letsencrypt renew >/dev/null 2>&1  1 0,12 * * * root /etc/init.d/nginx reload 

Is this the wrong way? How can I validate this job works without waiting my site to be inacessible again?

How to avoid copy and paste 3D plot options?

I noticed that when I use Plot3D, ContourPlot3D, etc., I usually pass the same many options like this

Plot3D[{x + y, x - y}, {x, -1, 1}, {y, -1, 1},  AspectRatio -> 1, ImageSize -> Large, AxesLabel -> Automatic,  PlotRange -> Full, LabelStyle -> {FontSize -> 18}, BoxRatios -> {1, 1, 1}] 


ContourPlot3D[x + y - z == 0, {x, -3, 3}, {y, -3, 3}, {z, -3, 3},  AspectRatio -> 1, ImageSize -> Large, AxesLabel -> Automatic,  PlotRange -> Full, LabelStyle -> {FontSize -> 18}, BoxRatios -> {1, 1, 1}] 

Is there a way to avoid copy and paste all the options?

Sound does not work in many apps after upgrading to Ubuntu 18.04. I’m also trying to avoid Pulseaudio at all costs

Basically, I’m trying to get everything to use ALSA like I had on my old OS. Now with Ubuntu 18.04, I have some offline apps that sound great with ALSA but others such as firefox or Audacity that have no sound at all. I read from some online forums that you can get Alsa to run as the default sound device but I couldn’t figure out how to edit the config. I was only able to figure out how to disable Pulseaudio by setting the respawn to no and removing the ;. Anything beyond that was too confusing for me to understand but I really don’t want to be stuck without sound forever. Youtube and Audacity are important to me and I need to use them. Please help…