Is it safe to extract file from potentially infected disk

I have a hard drive used for years, there are windows and many personal files on it. What I called "files" are images, musics, documents (pdf or docx), but not programs. All the "files" were not initially infected. As I said in the title, the hard drive may be infected by malware (I did not safely use it).

My question is : can I extract these personal files on a safe computer without risk of contamination ? In other words, may these files be infected and spread malware ?

Is Deluge safe to use still when it’s not been updated since the first part of 2017?

https://dev.deluge-torrent.org/wiki/Download

https://ftp.osuosl.org/pub/deluge/windows/?C=M;O=D

The latest version of Deluge for Windows that can actually be downloaded and installed is deluge-1.3.15-win32-py2.7.exe from 2017-05-12.

That’s well over three years ago now!

They have been discussing the problems of releasing the new version for years, but nothing comes from it. Like so many slowly dying (but never quite gone) projects I’ve painfully witnessed in the last many years.

Doesn’t this more than likely make it extremely unsafe for me to be running this software on my machine? I feel as if it’s an open door to my machine, almost certainly containing unpatched exploits.

Yet the sad reality is that there are no alternatives. uTorrent is an ad-infested spyware nightmare since many years, and others… well, just like with browsers, I’ve given up on searching because there’s just nothing out there. Nobody seems to care one bit about the entirely desktop computer anymore.

Can I still use this ancient software? If so, how much longer?

Just adding basic token by POST parameter for securing the API. It is safe?

Let’s say I have an address for an API like this:

mywebsite.com/api/mydata 

If accessed, a JSON will appear like this:

[   {     "id":"1",     "name":"John"   },   {     "id":"2",     "name":"Smith"   } ] 

The result defaults will be displaying the entire data if a post has no parameters. If you use post "ID" and the ID parameter value is one of the existing data in the API, it will only display objects from the data selected based on the ID. The API can be accessed by anyone. API needs to be accessed using token parameters to secure the data.

Let’s say I add a token parameter to be able to access data like this:

yourtoken="yourtoken"  if (post_param[token]==yourtoken) {   // Displaying JSON } 

so if you want to open the API, you need to add a token parameter.

Is simple security like this worth using? what vulnerabilities will arise if I use this? is there a better way than this?

Establishing safe connection in Java

In my Java project I’m trying to create a 100% secure method of communication between the method and the client. I used to use this process:

Client: generates 4096-bit RSA keypair Client: sends public to server Client: generates 256-bit AES key Client: encrypts AES key using RSA and send Server: decrypts AES key from RSA Server & Client now communicate using AES only 

But I found out this isn’t safe as it can easily be ruined by a man-in-the-middle attack. I began researching TLS and found out about security certificates. My question is this: if the client generates the RSA keypair, signs it using the certificate, and sends it to the server, what stops a MITM from doing the same thing (assuming the certificate is publicly available, which I assume it would be because the server and the client would both need it).

When I use OpenSSL to generate a certificate it always provides an RSA key alongside it. Isn’t it safer to generate a new keypair for each connection, or do I actually use this particular key? What am I missing about the standard pattern for TLS?

Android: How safe is PBKDF2 with a 4 digit pin?

Our Product Manager wants a 4 digit pin for login in our app, obviously for UX reasons, so user don’t have to remember their password each time when they login.

A refresh token can be retrieved from backend to obtain a session token, which have access to the API. On our app, we encrypt the refresh token with AES and PBKDF2. A random salt and IV are generated plus the 4 digit used as password for PBKDF2.

After the encryption, I store the salt, IV and the cipher text base64 encoded in private shared preference.

The encryption code looks like this:

const val CPR_TRANSFORMATION = "AES/CBC/PKCS7Padding" const val ALGORITHM_TYPE = "PBKDF2WithHmacSHA1" const val ITERATION_AMOUNT = 12000 const val KEY_SIZE = 256  private fun encrypt(passCode: String, data: ByteArray): Encrypted { //e.g.: passCode = "0000"     val salt = ByteArray(256)     SecureRandom().nextBytes(salt)      val iv = ByteArray(16)     SecureRandom().nextBytes(iv)      val cipher = Cipher.getInstance(CPR_TRANSFORMATION)     cipher.init(Cipher.ENCRYPT_MODE, getSecretKey(passCode, salt), IvParameterSpec(iv))     val raw = cipher.doFinal(data)     return Encrypted(salt.encodeBase64(), iv.encodeBase64(), raw.encodeBase64()) }  private fun getSecretKey(passCode: String, salt: ByteArray): Key {     val pbKeySpec = PBEKeySpec(passCode.toCharArray(), salt, ITERATION_AMOUNT, KEY_SIZE)     val keyBytes = SecretKeyFactory.getInstance(ALGORITHM_TYPE).generateSecret(pbKeySpec).encoded     return SecretKeySpec(keyBytes, KeyProperties.KEY_ALGORITHM_AES) } 

Now my question is: How secure is this implementation?

  • How could an attacker retrieve the refresh token from shared preference and decrypt it?
  • Is the symmetric key inside secure element?
  • How safe is this implementation against malware or root?
  • How easy can the key be brute forced? (except that user tries 10k times manually to insert the correct pin)

Shared Text Content – XSS Safe

I have a bulletin on my site that all valid users have access to (read and write). User input posted to this bulletin is stored in JSON. Because of these qualities there is definitely some concern for XSS. Im hoping to figure out the best way to protect my app and its users when using this feature.

Some thoughts:

Validation – because this is a bulletin/message board I would prefer to allow users access to any character they can type. One user might need to say Boss says "Specials for ages < 12 & > 65 are as follows...". Because of my requirements, validation does not seem possible.

Sansitization – this has the same issues as validation, we would lose functionality.

Encoding – Im fairly new to this and do not know how one might encode user input to make it safe within the DOM (or JSON). If this is the preferred route I am interested in links to documentation or examples.

More Context:

I am adding to the content by doing something similar to the following; where obj is the full entry and message is the user supplied input.

var body = $  ('<p>').text(obj.message); 

Because I am only adding user input in the text context does that mean I can avoid concern?

Lastly, I am newer to using JSON to store user supplied info. I have not been able to find much on JSON security but if you have any topics related to the above, I would appreciate links to documentation.