Threema: Are received messages exposed, when sender’s private key gets compromised?

Note: This question is specific to the Threema Messenger, and relates to their implementation of encryption (using the NaCl ECDH implementation as per their docs).

I refer specifically to their “note on outgoing messages” in their validation document on their website:

It may seem strange that outgoing messages can be decrypted by entering the sender’s private key and the recipient’s public key, i.e. without knowing the recipient’s private key. …

Now, consider this scenario:

  • Alice has received a message from Bob, while Eve records/intercepts traffic as person-in-the-middle on the way to Alice.
  • Alice’s public key of course is public, but Alice never disclosed the private key.
  • Eve somehow gets the private key of Bob.

With Bob’s key and the traffic, could Eve now decrypt all content Bob has ever sent to Alice?

In other words, with Threema, is the privacy of received content dependent on the safety of the private key of the SENDER?

Risk/CVSS of exposed web admin portal to the internet

more of a philosophical question, suppose there is one behavior which allows an attacker to do something with high impact but by itself cannot be used to cause that impact. For example, internet accessible admin portal which even though still requires authentication, it doesn’t have IP whitelist nor 2FA.

Suppose that using the admin portal, an attacker can upload a shell and compromise the whole server.

Would you classify just having relaxed controls on the admin portal authentication as vulnerability?

If yes, what would you say just would you say is the CVSS score?

The risk? I guess here, the impact is high but the likelihood would be in relation to how easy is for someone to acquire valid credentials, which in most cases should be very low)

I would say it’s not vulnerability since one needs valid credentials to actually be able to use the portal. But i hear people having a lot of different opinions so i would like to see some other people’s thoughts.

It’s similar to having a gun (admin portal) without bullets (credentials). It’s only dangerous if you somehow manage to get bullets.

Code Change That Resulted in Database Fields and Values Exposed

At my company, we have a new development team that has been completely rewriting all of the code for different parts of the system.

I’ve noticed that with one of the recent changes, you can now see the JSON data for all of the fields and values for each field that exist in our database for that particular section of an account where a user is logged in. You can do so simply by using Developer Tools in Chrome.

Is this a bad idea from an information security perspective? Why or why not?

Disclaimer: I am not part of any development team, but would like to make others aware so that this can be dealt with appropriately if it is a security concern.

Is 2FA via mobile phone still a good idea when phones are the most exposed device?

Everyone knows that two factors are better than one. My problem is that often the only second factor allowed is text messages to your mobile phone. This creates two concerns:

1) I travel frequently overseas and lose access to 2FA accounts any time the associated SIM card can’t touch a network.

2) Your phone is inherently your least secured device. I install way more software and download way more files on my phone than anywhere else with much less ability to verify sources or control access. For example, nearly every app requests sweeping permissions to function correctly. Even apps that aren’t granted explicit permissions have been found to backdoor those permissions through google services.

I feel like linking my phone to sensitive accounts (such as banking) would actually make them more exposed to attack and more difficult to maintain legitimate access.

How can I avoid getting exposed while travelling to Russia?

I am a Japanese student learning the Russian language and will soon travel to Russia to have a kind of internship or training.

I have a security concern and a background to it. The background is that I actively participated in Internet discussions on the Russian social network under a fake name and made many provocative posts there, so a number of people explicitly wrote there that they would do their best and utmost to find my real identity and make it public. My posts are definitely of no concern to police and were not even deleted by the admins, but quite a large number of people got really agitated as my posts were about politics, religions, cultures, and similar sensitive stuff and written in a provocative manner. I cannot afford getting my real name publicly associated with those posts, but I did not see how people could find my real name, so I even made some posts saying they would not be able to find my name.

Some time ago one Russian sent me a message telling me he had discovered my real Japanese IP addresses, and he told me some of them. Although I had not used any proxy servers to make my posts, I got shocked, because is not supposed to share my IP addresses with anyone. The guy then wrote he had been able to find my IP addresses because he works in a Russian company that has access to a lot of data related to the use of the Internet in Russia. He added that he had somehow tried to find my real name based on my Japanese IP addresses, but had not succeeded. Indeed, my Japanese IP addresses do not give any leads, and no Japanese provider will tell my name to Russians.

Now I am travelling to Russia and intend to use there the same laptop I used to make my posts; I will be given an Internet connection in Russia and, in view of what the guy told me, will obviously need to avoid any possibility of leaving any traces in Russia that could link my Russian IP address with my past posts. The reason is that knowing my Russian IP, people might find my real name by contacting my Russian hosts. Ideally, I would like to continue using the same account in the social network to make posts while staying in Russia.

My question is this: What should I do to meet these needs?

I am asking because I know little about such security matters and, in particular, what kind of information is collected from my laptop by Internet providers and servers such as, so I am afraid to even connect my laptop to the Internet in Russia. I humbly hope that security experts of this SE could kindly instruct me how I can safely use my laptop in Russia without any risk of getting exposed in relation to my past posts made from Japan from the same laptop, given that at least one Russian who wants to find my real identity may have access to any data related to the use of the Internet in Russia.

Toggle between back end database exposed as webservice to database as failover

We are developing API.

1) Here our API will consume data from database exposed as web service for real time. 2) In case if our back end database (web service) goes down (on-premises) , our API should alternatively switch to NoSQL DB which is hosted on azure cloud (but is is not real time) to maintain business continuity. 3) We are using .net core (c#) as API code, Azure APIM as API gateway,IIS server, Azure kubernates as Deployment strategy. 4) My question is what is best approach to achieve this. (should i handle this at infrastructure side or code)

What info are exposed inside the site activity modern web part? can i know what other users viewed?

I have added a “Site Activity” web part inside our modern team site. and to check what this web part expose >> i login using 2 different users (UserA & UserB).

UserA. will see what he/she have viewed and what others have edited.

UserB. will see what he/she have viewed and what others have edited.

so can i conclude that the site activity web part will never expose what other users have viewed? and will only expose this view info to the same user ? or this is not always the case?


Lists/Libraries: Why are not all existing fields exposed as site columns?

I was wondering what determines if an internal field of a list or library is made available as an actionable site column. More precisely, I was trying to add the published state as a column in a site pages library. However, this field is not available to add as a site column but it exists as an internal field named _ModerationStatus. How can I achieve this? Thanks!