Using unique per-session gpg keys to store backups on cloud storage

I’d like to encrypt my server’s daily backups and send them to dropbox / google drive / etc., as a backup.

I’ve read of various approaches. Assuming symmetric encryption (passphrase rather than public/private keypair), people seem to: tar, compress, encrypt with a passphrase (using gpg), and upload the result to cloud storage.

Then I found this comment (edited for brevity):

I wouldn’t use the same passphrase over and over to encrypt your files. Instead, I’d generate a file containing a number of random bytes and use that as a key for my .tar.bz2.gpg file. I’d then encrypt this random file with my 100 character passphrase and upload it together with the backup file. (Basically, I’d create a session key with which to encrypt my data and use the 100 character string as a master key to decrypt the session keys). You can automate this, and it gives you forward secrecy in case one of your backup session keys is compromised and the ability to decrypt any specific backup without losing control over your master key.

So if I understand correctly, for every backup I must (via a bash script):

  1. create the backup 2020-01-01.backup.tar.bzip2 (date is just an example)
  2. generate a random passphrase, and save it as 2020-01-01.passphrase.txt
  3. use 2020-01-01.passphrase.txt to encrypt 2020-01-01.backup.tar.bzip2 to get 2020-01-01.backup.tar.bzip2.gpg
  4. encrypt 2020-01-01.passphrase.txt with my “master” passphrase (which I keep on my local box) to get 2020-01-01.passphrase.txt.gpg
  5. upload 2020-01-01.backup.tar.bzip2.gpg and 2020-01-01.passphrase.txt.gpg to cloud storage

The above comment says this is more secure because if one backup/passphrase is compromised, the others are still safe as they use different passphrases.

But I’m a little confused. If the master passphrase is compromised (“hacked” / guessed / whatever) – all the backups are compromised. It seems like just another level of indirection.

The only way this makes sense is if the master passphrase is MUCH longer (more entropy) than each session passphrase – e.g. 100 characters vs 20 characters, respectively. But then why not just make every session passphrase 100 characters?

Is my understanding of this strategy correct, and can you detect any gotchas I should take into account?

Wolfram Cloud Slowdown

Has anyone noticed a slowdown on Wolfram Cloud rendering? With @JanP√∂schko’s help I’ve been using Wolfram Cloud to share docs for my EcoEvo package. I just updated them and noticed that it takes a long time to render now.

The main Guide page takes 1 second to load, but 1 minute 40 second to make all the links active (watch the tiny blue progress bar under the “Wolfram Notebook” header). Before the page has rendered, clicking on a link brings a popup saying “Starting interactivity…” After it is done, clicking on a link is unresponsive for 25 seconds before going to the linked page.

I don’t remember it being so slow before. Has something changed?

Securing media uploading to the cloud from reverse engineering

I own an RPG multiplayer game written in Java, where players can fight each other in the game.

Recently I planned to invent a new feature, where the last 15 seconds of your fight and the “knockout” will be saved and a gif will be created of the fight’s ending and automatically uploaded and can be linked to your account and viewed on the game’s website gallery.

Strategy I planned to use:

  1. Server sends a start-recording packet to the client to start recording the graphics buffer
  2. Client will clear the buffer and only keep the latest 15 seconds (X frames) of the current fight.
  3. When the fight ends, server sends stop-recording packet, this packet will contain a pre-signed URL generated by the server in which the client will use to upload the gif that the client will create in this step. the presigned URL will have the user’s ID encoded so that way it is linked, and a record will be created in the database aswell on the presign or on upload callback.

Might use AWS S3 as my storage.

What is the issue?

People can reverse-engineer my client, and can basically start fights and upload any gifs that they would want to, pornographic and unrelated content.

Is there a way, besides image-processing to solve this issue\?

put some function in cloud and execute from any place cellular phone or tablet or laptop

Mostly I would like to have back a small string produced after entering few integers…

anyway the functions is:

pw[j_Integer, nd_Integer, sl_Integer, oeo_Integer] :=   Style[StringJoin[" ",     Map[ctec[[# + 1]] &,      First[RealDigits[N[1/Prime[j*sl + oeo], (j*sl + oeo)*10*5],        Length[ctec], nd, -sl*oeo]]], " "], FontSize -> 25,    FontColor -> Red, Bold, Background -> Yellow] 

where ctec is a list of all key-able characters in Latin-kb

Do any API-based CASB use native DLP features in cloud applications?

I think I’ve understood what CASB are and the differences between proxy/API-based architectures. What is still unclear to me is how exactly API-based CASB function.

I know most products use APIs to traverse the cloud documents storage to download and inspect the documents. Or maybe even use APIs to download auditing logs from the service. But for example Office 365 offers DLP features such as Exchange Mail Flow Rules or Office 365 DLP rules. Do any API-based CASB also automatically configure and use these DLP functions?

Does the Stinking Cloud spell not cause a creature affected by the Sleep spell to wake up?

A player party is battling multiple enemies, one of which has been rendered unconscious by the Sleep spell. The PC Bard decides to comedically incapacitate the other enemies by casting Stinking Cloud on them, but the unconscious enemy also happens to be in this spell’s area of effect. The DM judges that the sleeping enemy (failing a CON save) would be awakened by the act of choking from the gas, though they would also be incapacitated for a round.

According to the stinking cloud spell description in the 5e SRD:

On a failed save, the creature spends its action that turn retching and reeling.

The description of the sleep spell indicates that it remains in effect

until the spell ends, the sleeper takes damage, or someone uses an action to shake or slap the sleeper awake.

However, while the stinking cloud spell is treated as “poison” for the purposes of the saving throw, it does not directly cause damage, nor has someone directly shaken or slapped the affected character.

Has the DM made an incorrect ruling on the interaction of these spell effects, based on a strict interpretation of the rules for removing sleep‘s effects?

If a character casts Fog Cloud around themselves before moving away from an enemy, do they provoke an opportunity attack?

Our party was forced to brawl against a group of orcs in order to gain their respect to speak with their chieftain (long story, we had very good reason for doing this). It then became a battle royale.

Our wizard was at low health and next to our paladin, and had the idea to cast fog cloud to capture himself and the paladin within it so he could leave combat. He cast the spell, and then came down to the debate of whether the paladin would get an opportunity attack even though she was blinded.

The wizard was in threat range, but does an effect that causes an area to become heavily obscured cause the Paladin to lose threat range and the wizard be able to successfully flee to another area of the ring?

Or does the paladin still have threat range and attack the wizard, even with fog cloud covering both of them?

I looked over the rules for 15 minutes after this situation, but nothing came up. It was ruled in-game that it was fine to make an opportunity attack with disadvantage, but that just doesn’t feel right. She might have heard the wizard stepping away, but the fog cloud was already in place. By the D&D rules, would the paladin have been able to make the opportunity attack or not?

Secure connection on-prem to cloud over SFTP(22)

Excuse me if I am asking fundamental concepts here.

  • Requirements is to set up a one way secure connection to develop new environment in cloud.

  • Propose solution is to use SFTP. Firewall request was requested as follow: Source 10.90.x.x to 10.115.x.x/25 subnet port 22 , port 40039

concerns on reviewing this Firewall request:

  1. Is port 40039 secure? My quick search shows registered port.

  2. what could be the reason they need to receive the files in /25 subnet? is it a valid ask to enable only on IP instead of /25.

Thanks a lot.

Question about jobs regarding Datacenter Security / Cloud Security

first post here!

I had a question in regards to pursuing a career related to Datacenter Security (Iron Mountain type company or Data Integrity type company) or Cloud Security where I am not tied to a desk. I have a huge issue with being around an environment where I cannot be constantly on the move. I was looking into DLP or anything related to surveillance, but can’t seem to pinpoint the exact job. Does anyone have any idea of the job that would be the best for me?

TL;DR

Looking for a job prospect where my skills in network security/infosec can be translated into installing and securing physical and logical based systems without being just tied to a desk.

Thanks in advance!