Is it safe to pg_dump and pg_restore a new postgres database that has malware?

I’m pretty sure there is a crypto bot eating up my CPU through a postgres script. I would like to create an entirely new VM, and move my database with it using pg_dump and pg_restore. I already checked my postgres for new users, tables, databases; couldn’t find anything odd there which could comprise me if I move my data. I’m a little worried however because the bot is some how getting access to my postgres, and nothing else on my VM.

Thank you for the help.

Is it always safe to use WITH SCHEMABINDING in a UDF?

SO I have been reading about WITH SCHEMABINDING and how it can improve the performance of queries using a scalar UDF by omitting the table spool operator from the execution plan. I think I understand halloween protection.

My question is: If I add WITH SCHEMABINDING to a UDF used in a SP is it possible that a SP does not give the same results? If yes in what scenario?

Is it safe to use the Windows “Compress directory to save space” feature on the directory that contains my MySQL general log file?

I have changed MySQL 8 on my Windows 10 development machine to write logfiles (general log and slow queries log) to "E:\mysql logfiles". I’d like to compress this directory using the Windows "Compress Directory to save space" advanced feature in the Windows 10 directory properties to save space (currently my logfile is over 50 GB). I’m wondering though: is this a good idea? Or will this break MySQL in (subtle or not) ways?

Is it safe to extract file from potentially infected disk

I have a hard drive used for years, there are windows and many personal files on it. What I called "files" are images, musics, documents (pdf or docx), but not programs. All the "files" were not initially infected. As I said in the title, the hard drive may be infected by malware (I did not safely use it).

My question is : can I extract these personal files on a safe computer without risk of contamination ? In other words, may these files be infected and spread malware ?

Is Deluge safe to use still when it’s not been updated since the first part of 2017?

https://dev.deluge-torrent.org/wiki/Download

https://ftp.osuosl.org/pub/deluge/windows/?C=M;O=D

The latest version of Deluge for Windows that can actually be downloaded and installed is deluge-1.3.15-win32-py2.7.exe from 2017-05-12.

That’s well over three years ago now!

They have been discussing the problems of releasing the new version for years, but nothing comes from it. Like so many slowly dying (but never quite gone) projects I’ve painfully witnessed in the last many years.

Doesn’t this more than likely make it extremely unsafe for me to be running this software on my machine? I feel as if it’s an open door to my machine, almost certainly containing unpatched exploits.

Yet the sad reality is that there are no alternatives. uTorrent is an ad-infested spyware nightmare since many years, and others… well, just like with browsers, I’ve given up on searching because there’s just nothing out there. Nobody seems to care one bit about the entirely desktop computer anymore.

Can I still use this ancient software? If so, how much longer?

Just adding basic token by POST parameter for securing the API. It is safe?

Let’s say I have an address for an API like this:

mywebsite.com/api/mydata 

If accessed, a JSON will appear like this:

[   {     "id":"1",     "name":"John"   },   {     "id":"2",     "name":"Smith"   } ] 

The result defaults will be displaying the entire data if a post has no parameters. If you use post "ID" and the ID parameter value is one of the existing data in the API, it will only display objects from the data selected based on the ID. The API can be accessed by anyone. API needs to be accessed using token parameters to secure the data.

Let’s say I add a token parameter to be able to access data like this:

yourtoken="yourtoken"  if (post_param[token]==yourtoken) {   // Displaying JSON } 

so if you want to open the API, you need to add a token parameter.

Is simple security like this worth using? what vulnerabilities will arise if I use this? is there a better way than this?

Establishing safe connection in Java

In my Java project I’m trying to create a 100% secure method of communication between the method and the client. I used to use this process:

Client: generates 4096-bit RSA keypair Client: sends public to server Client: generates 256-bit AES key Client: encrypts AES key using RSA and send Server: decrypts AES key from RSA Server & Client now communicate using AES only 

But I found out this isn’t safe as it can easily be ruined by a man-in-the-middle attack. I began researching TLS and found out about security certificates. My question is this: if the client generates the RSA keypair, signs it using the certificate, and sends it to the server, what stops a MITM from doing the same thing (assuming the certificate is publicly available, which I assume it would be because the server and the client would both need it).

When I use OpenSSL to generate a certificate it always provides an RSA key alongside it. Isn’t it safer to generate a new keypair for each connection, or do I actually use this particular key? What am I missing about the standard pattern for TLS?

Android: How safe is PBKDF2 with a 4 digit pin?

Our Product Manager wants a 4 digit pin for login in our app, obviously for UX reasons, so user don’t have to remember their password each time when they login.

A refresh token can be retrieved from backend to obtain a session token, which have access to the API. On our app, we encrypt the refresh token with AES and PBKDF2. A random salt and IV are generated plus the 4 digit used as password for PBKDF2.

After the encryption, I store the salt, IV and the cipher text base64 encoded in private shared preference.

The encryption code looks like this:

const val CPR_TRANSFORMATION = "AES/CBC/PKCS7Padding" const val ALGORITHM_TYPE = "PBKDF2WithHmacSHA1" const val ITERATION_AMOUNT = 12000 const val KEY_SIZE = 256  private fun encrypt(passCode: String, data: ByteArray): Encrypted { //e.g.: passCode = "0000"     val salt = ByteArray(256)     SecureRandom().nextBytes(salt)      val iv = ByteArray(16)     SecureRandom().nextBytes(iv)      val cipher = Cipher.getInstance(CPR_TRANSFORMATION)     cipher.init(Cipher.ENCRYPT_MODE, getSecretKey(passCode, salt), IvParameterSpec(iv))     val raw = cipher.doFinal(data)     return Encrypted(salt.encodeBase64(), iv.encodeBase64(), raw.encodeBase64()) }  private fun getSecretKey(passCode: String, salt: ByteArray): Key {     val pbKeySpec = PBEKeySpec(passCode.toCharArray(), salt, ITERATION_AMOUNT, KEY_SIZE)     val keyBytes = SecretKeyFactory.getInstance(ALGORITHM_TYPE).generateSecret(pbKeySpec).encoded     return SecretKeySpec(keyBytes, KeyProperties.KEY_ALGORITHM_AES) } 

Now my question is: How secure is this implementation?

  • How could an attacker retrieve the refresh token from shared preference and decrypt it?
  • Is the symmetric key inside secure element?
  • How safe is this implementation against malware or root?
  • How easy can the key be brute forced? (except that user tries 10k times manually to insert the correct pin)