Can a Keypass file theoretically be cracked offline?

So you create a .kbdx file, protected by a password.

AFAIK in asymmetric key schemes and in WPA-AES brute-forcing consists of:

  • try a random password on the private key / on the router
  • if it doesn’t log you in, try another.

So you immediately know did you hit the correct password.

What about a password manager’s database? You know nothing about the content of the file. How do you know you did manage to crack it?

Are Online Problems always harder than the Offline equivalent?

I am currently studying Online-Algorithms, and I just asked myself if online Problems are always harder than the offline equivalent.

The most probable answer ist yes, but I can’t figure the reason out why.

Actually I have a second more specific question. When an offline Problem has some integrality gap ($ IG\in[1,\infty) $ ) we know in an offline setting, that there is generally no randomized rounding algorithm which achieves a ratio $ C\geq IG$ .

Can this just be adapted to the online problem? If some fractional algorithm has competitive ratio $ c_{frac}$ can some randomized rounding scheme only reach competitive ratio as good as $ \frac{c_{frac}}{IG}$ ?

Thanks in advance.

Can I use Google Analytics to implement offline conversion tracking?

In a Google Ads account I’m working on, all conversions are imported from Google Analytics. How can I define a Google Analytics goal which has the Google Click ID configurable, i.e. such that reaching the goal is associated with a previously seen Google Click ID? I.e. can I have something to the effect of Offline Conversion Tracking except that I use Google Analytics (and maybe even Google Tag Manager)?

Background:

I’m working on a site which has its analytics managed via Google Tag Manager; some events configured in GTM trigger goals in Google Analytics, which in turn are imported as conversions in Google Ads. For example, “visitor requested a trial account” is a user interaction which is tracked like this.

I’d now like to track if people who requested a trial account actually logged in – and if so, track this as a conversion, too. When a visitor logs into his account, I can check a database to figure out the Google Click ID (if any) which the user got assigned when requesting his account. In case a GCLID is found, I’d like to have a GTM trigger which triggers a tag which bumps a Google Analytics goal (which in turn is imported as a conversion in Google Ads).

Configuring Google Tag Manager accordingly seems straightforward. However, it’s not clear to me what kind of Google Analytics Goal to create which explicitly specifies a click ID.

Definitions of and difference between adaptive online adversary and adaptive offline adversary?

I recently started learning about randomized online algorithms, and the Wikipedia definitions for the three adversary models are very unhelpful to put it mildly. From poking around I think I have a good understanding of what an oblivious adversary is. From my understanding, the oblivious adversary must determine the “worst possible input sequence” before we even start running our algorithm. Let $ I_w$ denote the worst possible input sequence this adversary comes up with. (I.e., the input sequence that produces the greatest gap between the best that can be done and what we expect our algorithm to do.)

We then say that our algorithm is $ c$ -competitive (for a minimization problem) under this adversary if $ $ E[Alg(I_w)] \le c \cdot Opt(I_w) + b$ $ where $ c,b$ are some constants, $ E[Alg(I_w)]$ is the expected value of our algorithm on the input, and $ Opt(I_w)$ is the cost if we had made perfect decisions. (I.e., if the problem went offline.)

My confusion concerns the adaptive online and adaptive offline adversaries. I neither fully understand their definitions nor the difference between them. I will list my confusions directly below.

  • As I understand it, both of these adversaries somehow build the input sequences as your online algorithm runs. This says before you create the input at time $ t$ , unlike in the case of the oblivious adversary, both the adaptive online and adaptive offline adversaries have access to the outcomes of your algorithm at time steps $ 1, \ldots , t-1$ . Then it says that in both cases the adversary “incurs the costs of serving the requests online.” The difference being that for the online adaptive adversary, it “will only receive the decision of the online algorithm after it decided its own response to the request.” Does this mean that the difference is that the offline adaptive adversary can see how your algorithm performs during future steps? Or just the present step? But then why is it still incurring the cost of serving requests online?
  • This source contradicts the source above. It says that the adaptive offline adversary “is charged the optimum offline cost for that sequence.” Like I said previously, the previously source says both incur “the cost of serving the requests online.” What does it even mean to incur the cost of serving requests online vs. offline? Which is correct?
  • This takes a completely different tack and talks about knowing randomness (online adaptive) vs. knowing “random bits” (offline adaptive). Is this equivalent somehow? How so?
  • How does the definition of the competitive ratio change for these two adversaries? Most sources I looked at just defined the competitive ratio for the oblivious adversary.

A simple example of each to illustrate the difference would be much appreciated. Thanks for the help!

MS SQL Express 2016 on Amazon AWS: I Can Take Database Offline but Can’t Bring It Online

I can take databases offline (via GUI) but can’t bring them back online. The server details are as follow:

RDBMS: MS SQL 2016 Express Host: Amazon AWS/RDS Free Tier

Details/History of the Problem A few months ago, I created a db instance on Amazon AWS and at the time of creation, the ‘master/admin’ account was setup via the AWS/RDS web page. With this ‘admin’ account, I have created several databases on that instance without any problems.

Over the past few months, I have used this ‘admin’ account to change several databases to contained databases. I do this so that I can setup contained users. I have also done this several times on this server instance with the same admin account with no problems.

Last night, I had just created a new database via this admin account. I then tried to set this new database as a contained database and the process failed. The dialog box error message stated among other things “please try again later”.

After the 3rd failed attempt, I decided to take the database offline (via the GUI in SSMS). I did this in a bid to force close any possible open processes or connections that might be on this new database. That worked. However, I have not been able to bring it back online. I have tried via the GUI and also via a query and it keeps failing.

I have then checked the server roles assigned to this ‘admin’ account. It is not part of sysadmin role. As I understand, the ‘sysadmin’ role can do absolutely anything on the db instance. I reckon my admin account is not of this sysadmin role because it is meant for the in-house DBAs at Amazon AWS. I have tried to add it as sysadmin but it fails.

To ensure that my ‘admin’ account is the problem, I have taken another database offline (it’s empty). It went offline but it is also failing to come back online.

What could be the problem? Please help. Note that my skill level is very very low and I’m learning as I go along.

The server logs don’t show anything useful. I have attached screenshots.

1. Bring DB Online Error (via GUI)

2. SQL Server Log

3. Server Roles of My Admin Account

4. Failure to add SysAdmin Role to Admin Account

How to secure an offline resource using offline software but with occasional server access?

My application is a (Windows) desktop application that is required to operate fully offline. To enable this, I have a local data cache that keeps a synced copy of server data.

How can I secure this local data from any access other than my software?

I know that for fully offline software, this is impossible; any encryption aspects like key, salt, password, etc. that my software used would have to be embedded in the software itself, and this could be recovered from the executable.

But my application also has a requirement that it connects to the home server at least every 5 days for updates, during which time it could download anything.

Is there an algorithm that would allow the application to encrypt the data, using an encryption key that’s downloaded every so often, based on information that only the server would know?

How to facilitate the export of secret strings from an offline system?

I want to use Shamir’s Secret Sharing algorithm to store a randomly generated passphrase securely by spreading the secret shares on paper for example.

The passphrase is generated on an offline system. I am looking for a way to ease the process of “exporting” those secrets which can be quite long (~100 hexadecimal characters).

First I converted the secrets from hexadecimal to base64. That is not bad but not enough.

Then I tried to compress the strings using different methods but because it is random data it does not compress well (or at all).

Then I though of printing them as QR code, it works fine but the issue comes later when I need to import the secrets back, because I would need a camera.

Is there anything else I could try?

Checkout system with offline payments

I’m trying to find the best way to handle offline payments (e.g. internet bank transfer) into a site which offers services like courses.

At present there is a course registration form, when successfully completed the user receives a confirmation screen and email which states that payment is required, confirms the amount and bank account details.

I’m concerned that when a user completes this process it may feel as though they have achieved a booking or reservation, regardless of the information that follows.

For management a difficulty is that once the checkout is completed it takes a minimum of 24-48 hours before the payment can be confirmed. Also, the user may choose to not pay immediately (or at all). During this time the list contains unpaid booking requests, and it’s proving hard to manage the attendee list and be sure of who is coming.

I’m wondering if anyone has encountered this problem before and if there is a better way to handle the checkout process.

More information:

The UX objective is to have an easy to use system for a user to create a course booking, where if they choose to pay ‘offline’ it is clearly understood that there is no reservation of a place until the payment has been made.

It could simply be that a standard process like the current one is fine, we just need to work the copy so that it communicates this well.

Another possibility I’ve considered is a system where ‘offline’ payments are completed before the booking form is completed, identified using a unique code sent via email. This might better reflect reality but it would also be pretty unusual and could put people off.