Accessibility – NVDA not reading text in navigation using arrow keys

am facing an issue with NVDA screen reader where in its not reading the links or text in a navigation.

Link – https://codepen.io/yogesharora28/pen/WNNPQKV

Am using arrow keys to navigate in NVDA, and if i move from a sub menu to next menu, for e.g. going from “home” and reading the items in its sub menu, moving next to “About us” menu, it wont read “About us”, instead reads the sub menu items of “about us” Any idea what could be going wrong?

Will using CTR mode with unique IVs, but only one password for encrypting multiple files, leak data or keys?

I’m working on a project to encrypt many files with a single password.

The steps I will employ to encrypt the files are:

  1. user will execute a command similar to tool --encrypt --recurse directories/to/recurse and-other-files.txt
  2. the user will be prompted for a password
  3. two 64 byte crypto random salts and a 16 byte crypto random IV will be generated
  4. no 2 files will ever use the same salts or IV
  5. each individual salt will be combined with the password to create to 2 separate argon2id keys
  6. one key will be 32 bytes long and is used for the AES-256 cipher block
  7. the other will be 64 bytes long and will be used as the key for a sha-512 hmac
  8. the resulting encrypted file will be written as 2ByteVersion:64ByteHMACSalt:64ByteCipherBlockSalt:16ByteIV:EncryptedData:64ByteHMACSignature

I believe this would result in a reasonably secure, set of encrypted files. My main concern though, is that because of the way that users will use this tool, there is a good chance that they will accidentally encrypt small, easily guessed files.

And since CTR mode doesn’t require padding, anyone with access to the encrypted file will know the length of the plaintext file. It seems that CTR mode is considered secure for files, provided the IV is unique for each encryption run and the file is authenticated.

Is there a chance that the cipher key, HMAC key, or password could be derived through a known plaintext attack from enough small guessable files? Are there any other glaring flaws in my methodology that could leak data?

Why is Debian not showing the GPG signatures on keys that Arch Linux is?

I downloaded a Qubes OS ISO and I’m trying to verify its legitimacy using this guide. GPG was behaving weirdly, so I created a separate user with a separate keyring to reproduce the issue.

When I try to verify the key on my Debian system, the signature on the release signing key is not there:

$   gpg --fetch-keys https://keys.qubes-os.org/keys/qubes-master-signing-key.asc gpg: directory '/home/test/.gnupg' created gpg: keybox '/home/test/.gnupg/pubring.kbx' created gpg: requesting key from 'https://keys.qubes-os.org/keys/qubes-master-signing-key.asc' gpg: /home/test/.gnupg/trustdb.gpg: trustdb created gpg: key DDFA1A3E36879494: public key "Qubes Master Signing Key" imported gpg: Total number processed: 1 gpg:               imported: 1 $   gpg --fetch-keys https://keys.qubes-os.org/keys/qubes-release-4-signing-key.asc gpg: requesting key from 'https://keys.qubes-os.org/keys/qubes-release-4-signing-key.asc' gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" imported gpg: Total number processed: 1 gpg:               imported: 1 $   gpg --list-sigs "Qubes OS" pub   rsa4096 2017-03-06 [SC]       5817A43B283DE5A9181A522E1848792F9E2795E9 uid           [ unknown] Qubes OS Release 4 Signing Key sig 3        1848792F9E2795E9 2017-03-06  Qubes OS Release 4 Signing Key $   

I expected another line with a signature from the master key, such as

sig          DDFA1A3E36879494 2017-03-08  Qubes Master Signing Key 

Surprised, I decided to check on another system. This one is running Arch Linux. I trust it less than the Debian system. Perplexingly, the signature does show up — the output is just as above, but with the added signature line.

The GPG version is 2.2.17 on both machines.

What could be causing this discrepancy?

Are there any security concerns with storing private keys in browser’s javascript?

I’m working on a web app, and I know little about security/cryptography (for now, still learning) but I’m trying to set up a front-end where:

At the very beginning, the user puts in their private key.

The key is stored as a variable in javascript.

Any time the user does anything to interact with the backend, the key is used to sign or encrypt whatever data it needs to, the data is sent, and when the user is done with everything, they close the browser.

Is this a secure way of doing this? Can anything but my JS code access this key in the process?

(P.S. it’s gonna be RSA or ECC so asymmetric, private key is only known by front end user)

How do you change the brightness values for the keyboard function keys?

I’m running Ubuntu 18.04 on an HP Spectre x360 13″. My brightness keys work great, however I’d like to be able to change the minimum brightness displayed. For instance, at the lowest possible setting before going black, I have this:

$   cat /sys/class/backlight/intel_backlight/brightness 1201 

However this is extremely bright in a dark room. A value of 200 would be more appropriate. Is there a way to adjust this?

Thanks!

How to automatically obtain keys in Evolution for e-mail recipients? (key discovery)

I am using the PIM Evolution 3.22.6 for e-mail and contacts. For encrypting e-mails gpg (GnuPG 2.1.18) is used by Evolution.

How can I configure my system such as when I compose an e-mail the PGP key for the recipients are automatically retrieved from key servers and added to my keyring?

For example when I try to send an e-mail to a recipient, which is not in my keyring I get the following error message: gpg: <edward-en@fsf.org>: skipped: No public key

In case I run – outside of Evolution – gpg --search-keys edward-en@fsf.org a key is successfully found. Is there any way to tell Evolution to deal with the search?