Need suggestions for software development

bane_rising · 2025-06-12 07:58:48

Hello,

Hope you are doing well. I'd like to get your opinion on a new software that I will be developing soon. Its used for managing encryption, similar to true crypt. It'll stick to standard protocols and libraries such as openssl, have support for luks encrypted drives, with custom formats that can withstand different types of attacks such as hidden layered encryption, data leaks etc. with memory encryption capabilities as well and extensive hashing of all files by default.

For this tool, would be ideal to use a gui or a web frontend as an option, besides commandline?

Gui libraries seem to be plagued with binary backdoors which is definitely difficult to deal with. Web frontend just requires access to a browser. I'm also a bit confused whether to use python or c, but planning to use Python at this time as from my perspective, there's not a big of a difference when reading / writing to files, it uses the same mechanisms underneath all the abstractions. If there's any other suggestions, feel free to let me know.

We need such tools to protect our intellectual property, there's a lot of flaws with current software, as the authors in charge maybe secretly working with the data leechers lol. Let's say you store the data in the cloud, some group of people can suddenly decrypt everything with unknown vulnerabilities and we can do nothing about that. Also the default options out there doesn't have good mitigation strategies to detect change of the data as hashing algorithms also have flaws, aka hash collision based attacks.

Would be nice if you can give me some positive feedback on this.

Last edited by bane_rising (2025-06-12 07:59:52)

256 · 2025-06-12 10:05:43

bane_rising wrote:

custom formats that can withstand different types of attacks such as hidden layered encryption, data leaks etc.

Good luck.

bane_rising wrote:

For this tool, would be ideal to use a gui or a web frontend as an option, besides commandline?
Gui libraries seem to be plagued with binary backdoors which is definitely difficult to deal with. Web frontend just requires access to a browser.

... And how is the web browser implemented? Also, I've never heard about GUI libraries being vulnerable before; what would the attack surface be? What gives you the impression that they "seem to be plagued with binary backdoors"?

bane_rising wrote:

We need such tools to protect our intellectual property, there's a lot of flaws with current software, as the authors in charge maybe secretly working with the data leechers lol.

How do we know you aren't?

Also, whilst I have no expertise in cryptography, what little I know tells me that you need to really know what you're doing to avoid vulnerabilities. The kind of person who doesn't know what intellectual property means, and can't choose between C and Python, is probably not knowledgeable or experienced enough to get it right. (For what it's worth, serious cryptography software involves a low-level understanding of what the program is doing, to e.g. avoid timing attacks and leaving keys in memory; I think this is much easier in C than Python.) At least you're not implementing the encryption part yourself (but then, what if the OpenSSL devs are secretly evil?). Even then, I'm sure there are potential pitfalls.

cryptearth · 2025-06-12 10:17:05

Have a look at https://www.usenix.org/legacy/events/us … avis_html/
already in 2001 the author explain how broken encryption of data at rest is - and nothin has really changed in the past 25 years
so let me ask: if it's broken for at least a quarter of a century why do you think either you or anyone else here will be able to solve it in a forum thrwad? let alone using python?
two possible solutions are touched in the linked paper - anyone can try thier best but I doubt anyone will succeed - and if so be clever and make a fortune out of it
there's a saying in crypto: don't roll your own! I doubt you will succeed and that whatever you end up with will be secure - many have tried seceral proposed solutions and most have failed - that's no topic for single hobbyist dev

seth · 2025-06-12 13:22:35

The UI isn't dictated by the tool or the task but the userbase, developing your own secret security solution is suicidal, invoking a socket (for the webbrowser) solution will hardly lower the attack vectors what is also what you'd define first.
What kind of attack do you expect and how to exploits in the GUI code impact those.

Also "I want to hear your opinion on something lofty that I intend to develop soon, here are some dumb principle ideas" smells like flamebait.

bane_rising · 2025-06-13 07:45:10

Gui is used by default for lot of security related software such as veracrypt, bit locker etc so it goes to show that the security folks don't like the idea of web frontends as they cannot guarantee security in the browser. If we can control the security aspects involved with gui toolkits then it might be worth the endeavour. Validating what the code does, and that it's the same code the original authors have created, is hard due to man in the middle style attacks over the network, where anyone can host similar looking code base and no one would know.

This is the main reason I intend to make the software purely commandline only first, and later upgrade to either gui or a web frontend. I prefer web frontends these days as development rate is faster, also you can do a lot of things which is not possible with traditional gui. If I go that route, I might audit and fork a minimal open source browser, and that could be used as part of the web frontend. This might provide some security guarantees, but it's too much work so I might just stick to getting a stable commandline version first.

Without writing custom code, we are at the mercy of data leechers or who else happens to control the network at the time, which is definitely not a good thing. I'm tired of seeing people who have no experience trying to discourage me from pursuing such a project, can you guys post 1 project that you created, that is close to 10,000 lines of code or more? People who write code frequently tend to inspire others, never got such a vibe from this forum.

Edit:

I'm not claiming that I'll be creating a new encryption algorithm, we already have plenty of libraries.

Last edited by bane_rising (2025-06-13 10:17:03)

seth · 2025-06-13 08:07:35

With custom code you're at the mercy of your brain.
Do yourself a favor, check how many NIH security solutions have failed spectacularly.
Then check what kind of peer-review/challenges go into designing encryption standards.
And then there're still bugs in the implementation.

There're two fundamental problems with your post:
1. it's underspecified. You want to develop "something security in python" but don't detail whether you just want to link together some common tools/libraries in a script chain for a specific task or come up with your own realization that "security by NIH was a really stupid idea"
2. You focus on an isolated detail - in broad generic terms. Security begins with a situation analysis. What do you want to protect. Against whom? What are the acceptable trade-offs, ie. if there's exploitable code executed, can the concerned attacker actually leverage that? Can you subject the target userbase to a properly hardened system? Will they cause more damage if they cannot operate the system by clicking three buttons?

unfortunately it's hard to find those types of support in these kinds of forums.

Then wtf ask here? Go ahead, do whatever you want - nobody here will stop or *wants* to discourage you.
You asked and got the response that you don't even have your mind in the proper spot and this is most likely going to be a disaster.

Again: smells like flamebait.

goes to show that the security folks don't like the idea of web frontends as they cannot guarantee security in the browser. If we can control the security aspects involved with gui toolkits, as in we know exactly what the code does, can have strong assurance that it's the same code the original authors have created, which is obviously hard due to man in the middle style attacks over the network, where anyone can host similar looking code base and no one would know

or are just drunken…

cryptearth · 2025-06-13 14:20:25

bane_rising wrote:

you can do a lot of things which is not possible with traditional gui

is that so? to turn your "point to 10k lines of code" around: can you name ONE thing that is ONLY possible in a browser but NOT in a "traditional" gui? I can't think of any - rather the other way around: what I can't do with a browser limited to HTML, CSS and JavaScript that can be done simple in like Java
as for 10k lines of code: I leared programming in my youth - I'm now mid-30s - so I have experience of about 20 years in which I wrote way more than just 10k - and yes, even in a single project

to me this belongs to TGN ... just your "I'd fork a minmal browser cause I don't trust any big one" shows you have no idea what you talk about
do you REALLY have the skill and knowledge (and time) to read through even the most basic browser with a DOM parser and render engine let alone one with support for css and an entire javascript engine to make those fancy UI even possible? I highly doubt that
to me that's the level of that sick dude using LinuxFromScratch "because (he) doesn't trust anything (he) has not compiled (himself) on (his) own machine" - that's just stupid and denial of reality

we WANT you to fail? nah - don't have to - you already make a fool of yourself - we don't even have to kick you to the ground as you already lay flat

whatever it might be you end up with - best of luck - but I predict now already it's gonna fail and backfire even way more than if you would just use existing stuff and just live with it

btw: your mention of both bitlocker and veracrypt is just hilarious: both got broken multiple times and if I recall correctly for the last version of truecrypt its dev published "it's not safe" and the verycrypt-fork was later found to include backdoors
bitlocker? well - aside from it only protects against "when someone gets physical access to the drive" - when you at the stage of an attacker has physical access you're in way more serious trouble - so its pointless at best

256 · 2025-06-13 16:02:08

It's easy to just call people pessimistic and get hostile when they tell you your dreams are unrealistic, but, and this is genuine advice, you'd be well-served to listen to the people in this thread. We're warning you not to waste time on a project that you simply aren't skilled enough for yet. And I'm not trying to "discourage [you] from pursuing such a project", I'm telling you that you need more experience and understanding of the subject first.

Your understanding of security is naïve and seems to be based on whatever random exploits you happen to have personally heard about. You can't just audit an entire browser by yourself like it's nothing, and if we're auditing code, why not just audit code that encrypts files and not bother with writing your own at all?

cryptearth wrote:

it only protects against "when someone gets physical access to the drive" - when you at the stage of an attacker has physical access you're in way more serious trouble - so its pointless at best

Are you saying data-at-rest encryption is pointless? I wouldn't go that far. It's hard to judge whether it makes sense for bane_rising, though, since they didn't specify their threat model.

cryptearth · 2025-06-14 01:26:21

@256
my point about bitlocker specifically is that it's main protection is against someone gets physical hold of a drive, ripping it out of its regular environment and try to access it via a different system
booting a bitlocker drive within its usual environment just boots up fine - and there are attack vectors to attack a drive unlocked by its usual environment

as an example: I once worked for an employer using bitlocker to secure the system
regular booting it just unlocked and booted the system - and with a special usb thumbdrive to hijack the winlogon it was possible to login into a local admin accoubt and extract the entire drive
ok, this was bsck in Win7 - but I won't be surprised if someone has an exploit working for current win10/11 even with TPM2

so, tldr: bitlocker only helps against either an attacker removing the drive from the system or able to hijack the boot on the target system - both fall into the vector of "if an attacker has physical access to the machine"

a real life attack vector: once a non-employee gained access all the way into our office - and if he had such a malicious thumbdrive able to break the security (which somewhat like crowdstrike loaded as driver during boot) he could had accessed not just the files local on the systems harddrive but due to an active AD session to the entire AD server - hijacking AD to gain domain wide admin is trivial

would had bitlocker been able to prevent such an attack?
no - just because every usb thumbdrive with a legirimate verifiied shim loader is able to defeat secureboot - and even if an MOK manager starts up - who or what woukd prevent an attacker to just select "enroll key/hash" when they already sitting in front of the target machine? booting something like kali to sniff the network and break the weak NTLM hashes broadcasted through the ndtwork would only be limited by the hardware of said system - and we have some quite powerfull workstations with multiple GPUs in them - abusing such system to bruteforce NTLM hashes is quite a trivial task - espicially if your able to inject a RAT on a system not used for weeks due to assigned employee usually wirks from home?
bitlocker ain't doin crap against such an attack - hence for me given such an attack being viable just by some random getting physical access to a macine or the entire network

there's a video on YT where pen-testers get access to an entire facility just by bypassing the door lock with a coathanger over the weekend - bitlocker doesn't stand a chance against such attacks

unless it would be able to prevent such physical attacks bitlocker to me is as useful as hanging a key next to the lock it unlocks

feel free to enlighten me on how bitlocker would be able to protect against such an attack - but unless setting up an employee to enter a recovery code to unlock a drive on boot it's completely useless

on linux using luks you require to enter a passphrase to unlock the drive on boot - sure this might also be able to be broken - but a luks encrypted drive won't boot unless a passphrase is entered - which to me is the key difference to bitlocker: bitlocker only protrects against specific changes to the boot environment but unlocks anyway if nothin out of the ordinaty is detect - something like luks is not valuabke against such an attack as it requires a passphrase in the first place

seth · 2025-06-14 05:56:43

Money quote:

unless setting up an employee to enter a recovery code to unlock a drive […] it's completely useless

tl;dr, DARE is fine as long as you maintain complete control over the open vault and the key - what allows me to remind everyone of

regular booting it just unlocked and booted the system

because of the triangle "simple-cheap-secure", that's usually a scenario for a yubikey or smartcard, but apparently

non-employee gained access all the way into our office

that facility has not yet discovered or the resources for the "DOOR" technology +
It however does touch again on the to GUI or not to GUI question

seth wrote:

The UI isn't dictated by the tool or the task but the userbase

Last edited by seth (2025-06-14 05:56:55)

bane_rising · 2025-06-14 13:37:01

Thanks for the many responses. A lot of the comments is not that relevant, especially bit locker and stuff which is windows software.

Think about the question for a few minutes and let me know if there's any new features I can add, or something to be aware of when developing software, that would make things better.

As I've said before, I might release some of the developed technologies after phd research.

Its a bit strange, I was looking through cryptsetup, the default Linux encryption tool and to my surprise couldn't find a single code related to actual encryption.

If you know where it is, feel free to comment below.

Last edited by bane_rising (2025-06-14 13:37:16)

seth · 2025-06-14 14:03:59

Its a bit strange, I was looking through cryptsetup, the default Linux encryption tool and to my surprise couldn't find a single code related to actual encryption.

Maybe read its documentation first. Notably on top of what it operates…

I might release some of the developed technologies after phd research.

We need such tools to protect our intellectual property, there's a lot of flaws with current software

So is it business or academic? You gotta keep your story straight.

Maybe research https://wiki.archlinux.org/title/Data-a … encryption

/bye

Trilby · 2025-06-14 15:02:50

bane_rising wrote:

Its a bit strange, I was looking through cryptsetup, the default Linux encryption tool and to my surprise couldn't find a single code related to actual encryption.

Of course not. It's not like there'd be a function called "do_encryption_magic_here()" in there. No, the encryption logic is itself encrypted. It all results from side-effects from non-pure functions with innocuous names that don't seem to do anything relevant - like the author's own re-implementation of a *printf function. Some of the encryption logic is also tucked into hidden side-effects of machine-specific assembly commands. That's how smart - and how devious - one has to be to write cryptographic code!

This is, of course, satire. Though I suspect that it may not be obvious to all readers.

Last edited by Trilby (2025-06-14 15:03:13)

dimich · 2025-06-14 17:08:27

bane_rising wrote:

Its a bit strange, I was looking through cryptsetup, the default Linux encryption tool and to my surprise couldn't find a single code related to actual encryption.

Likely it is somewhere here and here.

cryptearth · 2025-06-14 19:24:07

seth wrote:

non-employee gained access all the way into our office
that facility has not yet discovered or the resources for the "DOOR" technology

it was actual quite more trivial: someone was careless and held the door open for that unknown person - it was pretty much the exact scene from gtaV where you have to sneak into that one office rather early in the games story
pretty much each door is secured by rfid badge reader and only have handles on the inside to get out (except for restrooms)
even our elevators are secured this way as they grant access right into areas you have to badge in when taking the stairs
getting to my desk I have to use my card at least 4 times - so having a non-employee in my room means that at least 4 times this person was led in into secured areas - and at least at the very last door someone should have noticed "I've never seen this person in here before"
sure, I don't know every person working for my company - which are over 6.500+ total - but I know the 30-ish people within my department so I know who I can take in with me or when to be careful and ask a supervisor

seth · 2025-06-14 19:53:34

someone was careless and held the door open for that unknown person

EBDAW - error between door and wall

sure, I don't know every person working for my company

You don't have to. You just need to know who you know, nobody else gets free entrance (and even that might be too lenient, because maybe you do not actually know the person or you knew them yesterday - before they got fired…)

at least 4 times this person was led in into secured areas

Grab a set of heavy boxes and look awkward everytime somebody shows up - eventually you'll get someone who's too kind to be smart. I cannot even chastise those friendly souls if there's not a clearly stated company rule to not do that. Ever.

bane_rising · 2025-06-15 17:35:25

Hello guys, try to stay on topic if possible. I understand a lot of us here may not be programmers and that is ok. If you'd like to learn programming, you can start with python. There's a lot of resources out there on the internet.

Open source software gave us a lot of freedom, which is why we have a nice forum like this. Imagine if that freedom suddenly disappears, imagine a world where there's no Linux, there's no dev jobs, ... certainly the world wouldn't be such a good place. I'm grateful that we have what we have today, and I hope that things will take a positive turn in the future, with plenty of tech jobs for everyone.

Edit:
Put some resources here, unfortunately had to remove link due to copyright violations.

Last edited by bane_rising (2025-06-17 04:54:59)

Trilby · 2025-06-15 19:57:51

Huh? I was expecting that to be code - but it's just articles and books. At least one of those books is not licensed for such sharing.

seth · 2025-06-19 13:36:27

@Trilby

I might release some of the developed technologies after phd research.

I understand a lot of us here may not be programmers

Also cryptsetup is written in https://en.wikipedia.org/wiki/Whitespac … _language)

@bane_rising

f you'd like to learn programming, you can start with python.

planning to use Python at this time as from my perspective, there's not a big of a difference

Leaving aside that I personally disdain python because it actually implements the forementioned Whitespace logics and you're permanently one tab-sa-daisy away from a disaster:
Have you considered whether runtime loading of code and the ability to steer python into unprivileged paths might pose a problem for your OVERALL SECURITY CONCEPT?

Seriously, if there wasn't a fistful of OSS solutions in the repos, generating a filesystem image, AES en-/decrypting it (with or without key) and mounting that on demand is a couple of lines in bash (and there easily not subject to $PATH pollutions) and will, as such, secure the data at rest against anyone w/o key/password.
But that does NOT "make it secure", because that's not some state, but a concept.
I hope some of your books cover that…

Trilby · 2025-06-19 18:49:02

@seth RE: "I understand a lot of us here may not be programmers"

That's part of why I'm baffled. Someone who seems to acknowledge that they are not a programmer and have none of the relevant background or experience is asking for advice on how to make their own encryption software. How can that result in productive discussion?

seth · 2025-06-19 21:23:07

Well, you have to start somewhere, right

How can that result in productive discussion?

It doesn't.
The thread prepared for TGNtertainment starting at "… with custom formats"

seth, #4 wrote:

"I want to hear your opinion on something lofty that I intend to develop soon, here are some dumb principle ideas" smells like flamebait.

cryptearth · 2025-06-20 02:34:04

bane_rising wrote:

Hello guys, try to stay on topic if possible.

uhm, excuse me, please?
don't hold us hostage for what you de-railed yourself already about halfway the initial post of this topic
you come here with a picture of fluffy cloud like sheep in your mind and now get confused by us showing you the reality of a wolf ripping that apart
not that you seem to lack the required basics of what you asked about but you also can't keep your own story straight and now accuse US to not be qualified to answer your stupid question?

*popcorn emoji

I can't tell where you got lost on the way from Berlin to London - but you stuck circling around the triumph arc in Paris by keep turning left

Last edited by cryptearth (2025-06-20 02:34:39)

Arch Linux

#1 2025-06-12 07:58:48

Need suggestions for software development

#2 2025-06-12 10:05:43

Re: Need suggestions for software development

#3 2025-06-12 10:17:05

Re: Need suggestions for software development

#4 2025-06-12 13:22:35

Re: Need suggestions for software development

#5 2025-06-13 07:45:10

Re: Need suggestions for software development

#6 2025-06-13 08:07:35

Re: Need suggestions for software development

#7 2025-06-13 14:20:25

Re: Need suggestions for software development

#8 2025-06-13 16:02:08

Re: Need suggestions for software development

#9 2025-06-14 01:26:21

Re: Need suggestions for software development

#10 2025-06-14 05:56:43

Re: Need suggestions for software development

#11 2025-06-14 13:37:01

Re: Need suggestions for software development

#12 2025-06-14 14:03:59

Re: Need suggestions for software development

#13 2025-06-14 15:02:50

Re: Need suggestions for software development

#14 2025-06-14 17:08:27

Re: Need suggestions for software development

#15 2025-06-14 19:24:07

Re: Need suggestions for software development

#16 2025-06-14 19:53:34

Re: Need suggestions for software development

#17 2025-06-15 17:35:25

Re: Need suggestions for software development

#18 2025-06-15 19:57:51

Re: Need suggestions for software development

#19 2025-06-19 13:36:27

Re: Need suggestions for software development

#20 2025-06-19 18:49:02

Re: Need suggestions for software development

#21 2025-06-19 21:23:07

Re: Need suggestions for software development

#22 2025-06-20 02:34:04

Re: Need suggestions for software development

Board footer