SlideShare a Scribd company logo

Laverna vs etherpad

Download as PPTX, PDF
A
antitree

Brief analysis of Laverna, the javascript crypt it uses, and how well it defends against attack.

Technology
1 of 24
Laverna A tangential explanation of Laverna
You are Here Laverna Markdown Crypto Pbkdf2 Unnecesssary Visualization PBKDF2 For Blue Synchronization RemoteStorage.io Markdown.md Installation Conclusions Remotestorage.0wn .su
What are these words • Laverna and Etherpad are note taking services • I won’t talk about Etherpad because • Self-hosted alternatives to cloud apps like Evernote • Security and encryption are the focus here
Laverna • Node.js based local web page • HTML + JavaScript = no server required • Information is stored in the client you’re using • Encryptomagic • Remote storage options: • RemoteStorage.io (self-hosted) • Dropbox • Installation: • git clone git@github.com/laverna-static • Done
Markdown
Why? • Easy to convert into: • HTML • LaTeX • PDF • RTF… • Who supports MD? • Github (GFM) • Notepad++ • SublimeText • Everything on the Internet
Live Demo! MarkDown!!!! http://dillinger.io/
Encryption • All encryption happens client side (there is no server) • PBKDF2 • Manually entered salt (random) • Manually entered password • Can adjust iterations (1000 default) • AES 128 or 256 • Generated ciphers are stored in the browser local storage
Crypto/Sync JSON • {"id":"0cc9da4f-a47f-c9fd-e1ba- 55cb0ddb14e7", • "title":"{ • "iv":"uSrC4YzSxgvjueOBn+kb3A==",“ • v":1,“ • iter":"1000",“ • ks":128,“ • ts":64,“ • mode":"ccm","adata":"",“ • cipher":"aes",“ • salt":"ZwuH03ajWY0=",“ • ct":"WvpHRh50YbhdGeWFORR5b1xUui Rb • UID of the app • This is the title of my note • This is the IV for the note • Supports versioning of your note • PDKDF2 iterations • Key size is 128 • Something else size is 64 • Mode is CCM stream cipher • AES • Salt that you set • The cipher text of the title itself
• DK = Derived Key • PRF = HMAC - pseudorandom function like HMAC-SHA256 • c = Salt DK = PBKDF2(PRF, P, Salt, c, dkLen)
DK = PBKDF2(PRF, P, Salt, c, dkLen) Password Salt HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA Derived Key
What this defends against “monkey” Salt HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA Different Derived key
JustBlue Takeaway * This is from the Internet. Based on font, this is probably way off now
Laverna Crypto • PBKDF2 • Server never knows your key • Server never knows your keys • Fuck the cloud • Client side Crypto
Javascript Based Crypto • Not a big deal - it’ll be fine, what could go wrong • Relying on client side crypto with a server authenticator • Relying on client side crypto to protect client side information Well Actually
Back to Laverna
Syncing • Supports Dropbox
Syncing • Support RemoteStorage.io • Self-hosted remote storage similar to dropbox
Laverna Installation • Clone repository: git clone git@github.com:Laverna/laverna.git • Switch to stable version git checkout 0.5.0 • Install dependencies: npm install && bower install • Build minified version: grunt build • Build Dependencies: node.js, bower, grunt.
Operating Environment • Can host on any web server because crypto is on the client • Does not require PHP or programming environment • If remotely hosted, should be done over HTTPS • Github provides easy hosting over https for free • Can also run on your own computer
Wait have I done a demo yet? https://laverna.cc/index.html#notes
Here’s a diagram of something Laverna Etherpad Evernote License GPL GPL No Storage RemoteStorage, Dropbox None Sync with evernote Encryption PBKDF2 (AES) None (SSL with plugin) SSL + magic? Software JavaScript: Node.js, bower, grunt JavaScript Collaboration Not Realtime Yes Supports sharing Subfolders Infinite None Only 1 subfolder allowed Stored Format Json Export supports PDF, Word, and many other formats
Conclusion • Fuck the cloud • Use laverna • Use markdown • Use PBKDF2 • Use RemoteStorage.io (remotestorage.0wn.su?)
Laverna vs etherpad

Recommended

Reinventing anon email
Reinventing anon emailReinventing anon email
Reinventing anon emailantitree
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
Introduction to ethereum_public
Introduction to ethereum_publicIntroduction to ethereum_public
Introduction to ethereum_publicantitree
 
Building Python Development Station
Building Python Development StationBuilding Python Development Station
Building Python Development StationBasim Aly (JNCIP-SP, JNCIP-ENT)
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014Leonardo Nve Egea
 
Using ansible vault to protect your secrets
Using ansible vault to protect your secretsUsing ansible vault to protect your secrets
Using ansible vault to protect your secretsExcella
 
The Good, the Bad and the Ugly of Networking for Microservices by Mathew Lodg...
The Good, the Bad and the Ugly of Networking for Microservices by Mathew Lodg...The Good, the Bad and the Ugly of Networking for Microservices by Mathew Lodg...
The Good, the Bad and the Ugly of Networking for Microservices by Mathew Lodg...Docker, Inc.
 
Vert.x for Microservices Architecture
Vert.x for Microservices ArchitectureVert.x for Microservices Architecture
Vert.x for Microservices ArchitectureIdan Fridman
 

Recommended

Reinventing anon email
Reinventing anon emailReinventing anon email
Reinventing anon emailantitree
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
Introduction to ethereum_public
Introduction to ethereum_publicIntroduction to ethereum_public
Introduction to ethereum_publicantitree
 
Building Python Development Station
Building Python Development StationBuilding Python Development Station
Building Python Development StationBasim Aly (JNCIP-SP, JNCIP-ENT)
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014Leonardo Nve Egea
 
Using ansible vault to protect your secrets
Using ansible vault to protect your secretsUsing ansible vault to protect your secrets
Using ansible vault to protect your secretsExcella
 
The Good, the Bad and the Ugly of Networking for Microservices by Mathew Lodg...
The Good, the Bad and the Ugly of Networking for Microservices by Mathew Lodg...The Good, the Bad and the Ugly of Networking for Microservices by Mathew Lodg...
The Good, the Bad and the Ugly of Networking for Microservices by Mathew Lodg...Docker, Inc.
 
Vert.x for Microservices Architecture
Vert.x for Microservices ArchitectureVert.x for Microservices Architecture
Vert.x for Microservices ArchitectureIdan Fridman
 
An Introduction to Twisted
An Introduction to TwistedAn Introduction to Twisted
An Introduction to Twistedsdsern
 
Building real time applications with Symfony2
Building real time applications with Symfony2Building real time applications with Symfony2
Building real time applications with Symfony2Antonio Peric-Mazar
 
Introduction to OpenStack Cinder
Introduction to OpenStack CinderIntroduction to OpenStack Cinder
Introduction to OpenStack CinderSean McGinnis
 
Node.js
Node.jsNode.js
Node.jshotrannam
 
Neutron behind the scenes
Neutron behind the scenesNeutron behind the scenes
Neutron behind the scenesinbroker
 
Sysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of MonitoringSysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of MonitoringRamit Surana
 
Node.js 101 with Rami Sayar
Node.js 101 with Rami SayarNode.js 101 with Rami Sayar
Node.js 101 with Rami SayarFITC
 
Penetration Testing Resource Guide
Penetration Testing Resource Guide Penetration Testing Resource Guide
Penetration Testing Resource Guide Bishop Fox
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Teri Radichel
 
NATS: Simple, Secure and Scalable Messaging For the Cloud Native Era
NATS: Simple, Secure and Scalable Messaging For the Cloud Native EraNATS: Simple, Secure and Scalable Messaging For the Cloud Native Era
NATS: Simple, Secure and Scalable Messaging For the Cloud Native Erawallyqs
 
How to Build Your First Web App in Go
How to Build Your First Web App in GoHow to Build Your First Web App in Go
How to Build Your First Web App in GoAll Things Open
 
Neutron VEB Plugin
Neutron VEB PluginNeutron VEB Plugin
Neutron VEB PluginBIM
 
AstriCon 2017 - Docker Swarm & Asterisk
AstriCon 2017 - Docker Swarm & AsteriskAstriCon 2017 - Docker Swarm & Asterisk
AstriCon 2017 - Docker Swarm & AsteriskEvan McGee
 
London Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon HashiCorp User Group
 
Vault
VaultVault
Vaultdawnlua
 
Nous Sommes Cyber - HTB Blue
Nous Sommes Cyber - HTB BlueNous Sommes Cyber - HTB Blue
Nous Sommes Cyber - HTB BlueDianaWhitney4
 
BSides Ottawa 2019 - HTB Blue
BSides Ottawa 2019 - HTB BlueBSides Ottawa 2019 - HTB Blue
BSides Ottawa 2019 - HTB BlueDianaWhitney4
 
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HashiCorp User Group
 
Bridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack NetworkingBridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack Networkingmarkmcclain
 
Orchestrating Least Privilege by Diogo Monica
Orchestrating Least Privilege by Diogo Monica Orchestrating Least Privilege by Diogo Monica
Orchestrating Least Privilege by Diogo Monica Docker, Inc.
 
Rtlsdr presentation by alex 1/3/2014
Rtlsdr presentation by alex 1/3/2014Rtlsdr presentation by alex 1/3/2014
Rtlsdr presentation by alex 1/3/2014Db Cooper
 
Just Mouse Jack Init
Just Mouse Jack InitJust Mouse Jack Init
Just Mouse Jack Initantitree
 

More Related Content

What's hot

An Introduction to Twisted
An Introduction to TwistedAn Introduction to Twisted
An Introduction to Twistedsdsern
 
Building real time applications with Symfony2
Building real time applications with Symfony2Building real time applications with Symfony2
Building real time applications with Symfony2Antonio Peric-Mazar
 
Introduction to OpenStack Cinder
Introduction to OpenStack CinderIntroduction to OpenStack Cinder
Introduction to OpenStack CinderSean McGinnis
 
Neutron behind the scenes
Neutron behind the scenesNeutron behind the scenes
Neutron behind the scenesinbroker
 
Sysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of MonitoringSysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of MonitoringRamit Surana
 
Node.js 101 with Rami Sayar
Node.js 101 with Rami SayarNode.js 101 with Rami Sayar
Node.js 101 with Rami SayarFITC
 
Penetration Testing Resource Guide
Penetration Testing Resource Guide Penetration Testing Resource Guide
Penetration Testing Resource Guide Bishop Fox
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Teri Radichel
 
NATS: Simple, Secure and Scalable Messaging For the Cloud Native Era
NATS: Simple, Secure and Scalable Messaging For the Cloud Native EraNATS: Simple, Secure and Scalable Messaging For the Cloud Native Era
NATS: Simple, Secure and Scalable Messaging For the Cloud Native Erawallyqs
 
How to Build Your First Web App in Go
How to Build Your First Web App in GoHow to Build Your First Web App in Go
How to Build Your First Web App in GoAll Things Open
 
Neutron VEB Plugin
Neutron VEB PluginNeutron VEB Plugin
Neutron VEB PluginBIM
 
AstriCon 2017 - Docker Swarm & Asterisk
AstriCon 2017 - Docker Swarm & AsteriskAstriCon 2017 - Docker Swarm & Asterisk
AstriCon 2017 - Docker Swarm & AsteriskEvan McGee
 
Nous Sommes Cyber - HTB Blue
Nous Sommes Cyber - HTB BlueNous Sommes Cyber - HTB Blue
Nous Sommes Cyber - HTB BlueDianaWhitney4
 
BSides Ottawa 2019 - HTB Blue
BSides Ottawa 2019 - HTB BlueBSides Ottawa 2019 - HTB Blue
BSides Ottawa 2019 - HTB BlueDianaWhitney4
 
Bridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack NetworkingBridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack Networkingmarkmcclain
 
Orchestrating Least Privilege by Diogo Monica
Orchestrating Least Privilege by Diogo Monica Orchestrating Least Privilege by Diogo Monica
Orchestrating Least Privilege by Diogo Monica Docker, Inc.
 

What's hot (20)

An Introduction to Twisted
An Introduction to TwistedAn Introduction to Twisted
An Introduction to Twisted
 
Building real time applications with Symfony2
Building real time applications with Symfony2Building real time applications with Symfony2
Building real time applications with Symfony2
 
Introduction to OpenStack Cinder
Introduction to OpenStack CinderIntroduction to OpenStack Cinder
Introduction to OpenStack Cinder
 
Node.js
Node.jsNode.js
Node.js
 
Neutron behind the scenes
Neutron behind the scenesNeutron behind the scenes
Neutron behind the scenes
 
Sysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of MonitoringSysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of Monitoring
 
Node.js 101 with Rami Sayar
Node.js 101 with Rami SayarNode.js 101 with Rami Sayar
Node.js 101 with Rami Sayar
 
Penetration Testing Resource Guide
Penetration Testing Resource Guide Penetration Testing Resource Guide
Penetration Testing Resource Guide
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018
 
NATS: Simple, Secure and Scalable Messaging For the Cloud Native Era
NATS: Simple, Secure and Scalable Messaging For the Cloud Native EraNATS: Simple, Secure and Scalable Messaging For the Cloud Native Era
NATS: Simple, Secure and Scalable Messaging For the Cloud Native Era
 
How to Build Your First Web App in Go
How to Build Your First Web App in GoHow to Build Your First Web App in Go
How to Build Your First Web App in Go
 
Neutron VEB Plugin
Neutron VEB PluginNeutron VEB Plugin
Neutron VEB Plugin
 
AstriCon 2017 - Docker Swarm & Asterisk
AstriCon 2017 - Docker Swarm & AsteriskAstriCon 2017 - Docker Swarm & Asterisk
AstriCon 2017 - Docker Swarm & Asterisk
 
London Hug 20/6 - Vault production
London Hug 20/6 - Vault productionLondon Hug 20/6 - Vault production
London Hug 20/6 - Vault production
 
Vault
VaultVault
Vault
 
Nous Sommes Cyber - HTB Blue
Nous Sommes Cyber - HTB BlueNous Sommes Cyber - HTB Blue
Nous Sommes Cyber - HTB Blue
 
BSides Ottawa 2019 - HTB Blue
BSides Ottawa 2019 - HTB BlueBSides Ottawa 2019 - HTB Blue
BSides Ottawa 2019 - HTB Blue
 
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vault
 
Bridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack NetworkingBridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack Networking
 
Orchestrating Least Privilege by Diogo Monica
Orchestrating Least Privilege by Diogo Monica Orchestrating Least Privilege by Diogo Monica
Orchestrating Least Privilege by Diogo Monica
 

Viewers also liked

Rtlsdr presentation by alex 1/3/2014
Rtlsdr presentation by alex 1/3/2014Rtlsdr presentation by alex 1/3/2014
Rtlsdr presentation by alex 1/3/2014Db Cooper
 
Just Mouse Jack Init
Just Mouse Jack InitJust Mouse Jack Init
Just Mouse Jack Initantitree
 
Nsa and vpn
Nsa and vpnNsa and vpn
Nsa and vpnantitree
 
Salander v bond 2600
Salander v bond 2600Salander v bond 2600
Salander v bond 2600antitree
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
 
State of wifi_2016
State of wifi_2016State of wifi_2016
State of wifi_2016antitree
 
A brief history of teledildonics
A brief history of teledildonicsA brief history of teledildonics
A brief history of teledildonicsDb Cooper
 
How [not] to throw a b sides
How [not] to throw a b sidesHow [not] to throw a b sides
How [not] to throw a b sidesantitree
 
28c3 in 15
28c3 in 1528c3 in 15
28c3 in 15antitree
 
Image based automation
Image based automationImage based automation
Image based automationantitree
 
Meek and domain fronting public
Meek and domain fronting publicMeek and domain fronting public
Meek and domain fronting publicantitree
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
26 Disruptive & Technology Trends 2016 - 2018
26 Disruptive & Technology Trends 2016 - 201826 Disruptive & Technology Trends 2016 - 2018
26 Disruptive & Technology Trends 2016 - 2018Brian Solis
 

Viewers also liked (14)

Rtlsdr presentation by alex 1/3/2014
Rtlsdr presentation by alex 1/3/2014Rtlsdr presentation by alex 1/3/2014
Rtlsdr presentation by alex 1/3/2014
 
Just Mouse Jack Init
Just Mouse Jack InitJust Mouse Jack Init
Just Mouse Jack Init
 
Nsa and vpn
Nsa and vpnNsa and vpn
Nsa and vpn
 
Salander v bond 2600
Salander v bond 2600Salander v bond 2600
Salander v bond 2600
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuce
 
State of wifi_2016
State of wifi_2016State of wifi_2016
State of wifi_2016
 
A brief history of teledildonics
A brief history of teledildonicsA brief history of teledildonics
A brief history of teledildonics
 
How [not] to throw a b sides
How [not] to throw a b sidesHow [not] to throw a b sides
How [not] to throw a b sides
 
28c3 in 15
28c3 in 1528c3 in 15
28c3 in 15
 
0x20 hack
0x20 hack0x20 hack
0x20 hack
 
Image based automation
Image based automationImage based automation
Image based automation
 
Meek and domain fronting public
Meek and domain fronting publicMeek and domain fronting public
Meek and domain fronting public
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
 
26 Disruptive & Technology Trends 2016 - 2018
26 Disruptive & Technology Trends 2016 - 201826 Disruptive & Technology Trends 2016 - 2018
26 Disruptive & Technology Trends 2016 - 2018
 

Similar to Laverna vs etherpad

第0回ワススタ!! #wasbookを読もう
第0回ワススタ!! #wasbookを読もう第0回ワススタ!! #wasbookを読もう
第0回ワススタ!! #wasbookを読もうTatsuya Tobioka
 
Apache Cookbook - TekX Chicago 2010
Apache Cookbook - TekX Chicago 2010Apache Cookbook - TekX Chicago 2010
Apache Cookbook - TekX Chicago 2010Rich Bowen
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
Kuby, ActiveDeployment for Rails Apps
Kuby, ActiveDeployment for Rails AppsKuby, ActiveDeployment for Rails Apps
Kuby, ActiveDeployment for Rails AppsCameron Dutro
 
Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Rich Bowen
 
Aditya - Hacking Client Side Insecurities - ClubHack2008
Aditya - Hacking Client Side Insecurities - ClubHack2008Aditya - Hacking Client Side Insecurities - ClubHack2008
Aditya - Hacking Client Side Insecurities - ClubHack2008ClubHack
 
Adventures with Podman and Varlink
Adventures with Podman and VarlinkAdventures with Podman and Varlink
Adventures with Podman and VarlinkJeremy Brown
 
(STG205) Secure Content Delivery Using Amazon CloudFront
(STG205) Secure Content Delivery Using Amazon CloudFront(STG205) Secure Content Delivery Using Amazon CloudFront
(STG205) Secure Content Delivery Using Amazon CloudFrontAmazon Web Services
 
A Tale of 2 Systems
A Tale of 2 SystemsA Tale of 2 Systems
A Tale of 2 SystemsDavid Newman
 
Web Crypto
Web CryptoWeb Crypto
Web Cryptokarlvr
 
Deep dive into highly available open stack architecture openstack summit va...
Deep dive into highly available open stack architecture openstack summit va...Deep dive into highly available open stack architecture openstack summit va...
Deep dive into highly available open stack architecture openstack summit va...Arthur Berezin
 
AMF Flash and .NET
AMF Flash and .NETAMF Flash and .NET
AMF Flash and .NETYaniv Uriel
 
XMPP/Jingle(VoIP)/Perl Ocean 2012/03
XMPP/Jingle(VoIP)/Perl Ocean 2012/03XMPP/Jingle(VoIP)/Perl Ocean 2012/03
XMPP/Jingle(VoIP)/Perl Ocean 2012/03Lyo Kato
 
Silverlight vs HTML5 - Lessons learned from the real world...
Silverlight vs HTML5 - Lessons learned from the real world...Silverlight vs HTML5 - Lessons learned from the real world...
Silverlight vs HTML5 - Lessons learned from the real world...Peter Gfader
 
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best PracticesLyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best PracticesEric Bottard
 
Getting Buzzed on Buzzwords: Using Cloud & Big Data to Pentest at Scale
Getting Buzzed on Buzzwords: Using Cloud & Big Data to Pentest at ScaleGetting Buzzed on Buzzwords: Using Cloud & Big Data to Pentest at Scale
Getting Buzzed on Buzzwords: Using Cloud & Big Data to Pentest at ScaleBishop Fox
 
Making development environments not suck | #econfpsu #econfpsu16
Making development environments not suck | #econfpsu #econfpsu16Making development environments not suck | #econfpsu #econfpsu16
Making development environments not suck | #econfpsu #econfpsu16Tim Bracken
 

Similar to Laverna vs etherpad (20)

第0回ワススタ!! #wasbookを読もう
第0回ワススタ!! #wasbookを読もう第0回ワススタ!! #wasbookを読もう
第0回ワススタ!! #wasbookを読もう
 
Apache Cookbook - TekX Chicago 2010
Apache Cookbook - TekX Chicago 2010Apache Cookbook - TekX Chicago 2010
Apache Cookbook - TekX Chicago 2010
 
NullMQ @ PDX
NullMQ @ PDXNullMQ @ PDX
NullMQ @ PDX
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
Kuby, ActiveDeployment for Rails Apps
Kuby, ActiveDeployment for Rails AppsKuby, ActiveDeployment for Rails Apps
Kuby, ActiveDeployment for Rails Apps
 
Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011
 
Aditya - Hacking Client Side Insecurities - ClubHack2008
Aditya - Hacking Client Side Insecurities - ClubHack2008Aditya - Hacking Client Side Insecurities - ClubHack2008
Aditya - Hacking Client Side Insecurities - ClubHack2008
 
Adventures with Podman and Varlink
Adventures with Podman and VarlinkAdventures with Podman and Varlink
Adventures with Podman and Varlink
 
(STG205) Secure Content Delivery Using Amazon CloudFront
(STG205) Secure Content Delivery Using Amazon CloudFront(STG205) Secure Content Delivery Using Amazon CloudFront
(STG205) Secure Content Delivery Using Amazon CloudFront
 
Top ten-list
Top ten-listTop ten-list
Top ten-list
 
A Tale of 2 Systems
A Tale of 2 SystemsA Tale of 2 Systems
A Tale of 2 Systems
 
Web Crypto
Web CryptoWeb Crypto
Web Crypto
 
Deep dive into highly available open stack architecture openstack summit va...
Deep dive into highly available open stack architecture openstack summit va...Deep dive into highly available open stack architecture openstack summit va...
Deep dive into highly available open stack architecture openstack summit va...
 
AMF Flash and .NET
AMF Flash and .NETAMF Flash and .NET
AMF Flash and .NET
 
Fluentd meetup
Fluentd meetupFluentd meetup
Fluentd meetup
 
XMPP/Jingle(VoIP)/Perl Ocean 2012/03
XMPP/Jingle(VoIP)/Perl Ocean 2012/03XMPP/Jingle(VoIP)/Perl Ocean 2012/03
XMPP/Jingle(VoIP)/Perl Ocean 2012/03
 
Silverlight vs HTML5 - Lessons learned from the real world...
Silverlight vs HTML5 - Lessons learned from the real world...Silverlight vs HTML5 - Lessons learned from the real world...
Silverlight vs HTML5 - Lessons learned from the real world...
 
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best PracticesLyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
LyonJUG - Combo - Quick Cloud Foundry Intro + Cloud Best Practices
 
Getting Buzzed on Buzzwords: Using Cloud & Big Data to Pentest at Scale
Getting Buzzed on Buzzwords: Using Cloud & Big Data to Pentest at ScaleGetting Buzzed on Buzzwords: Using Cloud & Big Data to Pentest at Scale
Getting Buzzed on Buzzwords: Using Cloud & Big Data to Pentest at Scale
 
Making development environments not suck | #econfpsu #econfpsu16
Making development environments not suck | #econfpsu #econfpsu16Making development environments not suck | #econfpsu #econfpsu16
Making development environments not suck | #econfpsu #econfpsu16
 

More from antitree

Hardening ssh configurations
Hardening ssh configurationsHardening ssh configurations
Hardening ssh configurationsantitree
 
Salander v bond b sides detroit final v3
Salander v bond b sides detroit final v3Salander v bond b sides detroit final v3
Salander v bond b sides detroit final v3antitree
 
Pentesting embedded
Pentesting embeddedPentesting embedded
Pentesting embeddedantitree
 
Corporate Intelligence: Bridging the security and intelligence community
Corporate Intelligence: Bridging the security and intelligence communityCorporate Intelligence: Bridging the security and intelligence community
Corporate Intelligence: Bridging the security and intelligence communityantitree
 
Lock picking barcamp
Lock picking barcampLock picking barcamp
Lock picking barcampantitree
 
Lock picking 2600
Lock picking 2600Lock picking 2600
Lock picking 2600antitree
 
Anti tree firesheep
Anti tree firesheepAnti tree firesheep
Anti tree firesheepantitree
 
Hackerspaces
HackerspacesHackerspaces
Hackerspacesantitree
 
Intro to IPv6 by Ben Woodruff
Intro to IPv6 by Ben WoodruffIntro to IPv6 by Ben Woodruff
Intro to IPv6 by Ben Woodruffantitree
 
Anonymity Systems: Tor
Anonymity Systems: TorAnonymity Systems: Tor
Anonymity Systems: Torantitree
 
Dll hijacking
Dll hijackingDll hijacking
Dll hijackingantitree
 

More from antitree (12)

Hardening ssh configurations
Hardening ssh configurationsHardening ssh configurations
Hardening ssh configurations
 
Salander v bond b sides detroit final v3
Salander v bond b sides detroit final v3Salander v bond b sides detroit final v3
Salander v bond b sides detroit final v3
 
Pentesting embedded
Pentesting embeddedPentesting embedded
Pentesting embedded
 
Tor
TorTor
Tor
 
Corporate Intelligence: Bridging the security and intelligence community
Corporate Intelligence: Bridging the security and intelligence communityCorporate Intelligence: Bridging the security and intelligence community
Corporate Intelligence: Bridging the security and intelligence community
 
Lock picking barcamp
Lock picking barcampLock picking barcamp
Lock picking barcamp
 
Lock picking 2600
Lock picking 2600Lock picking 2600
Lock picking 2600
 
Anti tree firesheep
Anti tree firesheepAnti tree firesheep
Anti tree firesheep
 
Hackerspaces
HackerspacesHackerspaces
Hackerspaces
 
Intro to IPv6 by Ben Woodruff
Intro to IPv6 by Ben WoodruffIntro to IPv6 by Ben Woodruff
Intro to IPv6 by Ben Woodruff
 
Anonymity Systems: Tor
Anonymity Systems: TorAnonymity Systems: Tor
Anonymity Systems: Tor
 
Dll hijacking
Dll hijackingDll hijacking
Dll hijacking
 

Recently uploaded

Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Recently uploaded (20)

Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Laverna vs etherpad

  • 2. You are Here Laverna Markdown Crypto Pbkdf2 Unnecesssary Visualization PBKDF2 For Blue Synchronization RemoteStorage.io Markdown.md Installation Conclusions Remotestorage.0wn .su
  • 3. What are these words • Laverna and Etherpad are note taking services • I won’t talk about Etherpad because • Self-hosted alternatives to cloud apps like Evernote • Security and encryption are the focus here
  • 4. Laverna • Node.js based local web page • HTML + JavaScript = no server required • Information is stored in the client you’re using • Encryptomagic • Remote storage options: • RemoteStorage.io (self-hosted) • Dropbox • Installation: • git clone git@github.com/laverna-static • Done
  • 6. Why? • Easy to convert into: • HTML • LaTeX • PDF • RTF… • Who supports MD? • Github (GFM) • Notepad++ • SublimeText • Everything on the Internet
  • 8. Encryption • All encryption happens client side (there is no server) • PBKDF2 • Manually entered salt (random) • Manually entered password • Can adjust iterations (1000 default) • AES 128 or 256 • Generated ciphers are stored in the browser local storage
  • 9. Crypto/Sync JSON • {"id":"0cc9da4f-a47f-c9fd-e1ba- 55cb0ddb14e7", • "title":"{ • "iv":"uSrC4YzSxgvjueOBn+kb3A==",“ • v":1,“ • iter":"1000",“ • ks":128,“ • ts":64,“ • mode":"ccm","adata":"",“ • cipher":"aes",“ • salt":"ZwuH03ajWY0=",“ • ct":"WvpHRh50YbhdGeWFORR5b1xUui Rb • UID of the app • This is the title of my note • This is the IV for the note • Supports versioning of your note • PDKDF2 iterations • Key size is 128 • Something else size is 64 • Mode is CCM stream cipher • AES • Salt that you set • The cipher text of the title itself
  • 10. • DK = Derived Key • PRF = HMAC - pseudorandom function like HMAC-SHA256 • c = Salt DK = PBKDF2(PRF, P, Salt, c, dkLen)
  • 11. DK = PBKDF2(PRF, P, Salt, c, dkLen) Password Salt HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA Derived Key
  • 12. What this defends against “monkey” Salt HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA HMAC-SHA Different Derived key
  • 13. JustBlue Takeaway * This is from the Internet. Based on font, this is probably way off now
  • 14. Laverna Crypto • PBKDF2 • Server never knows your key • Server never knows your keys • Fuck the cloud • Client side Crypto
  • 15. Javascript Based Crypto • Not a big deal - it’ll be fine, what could go wrong • Relying on client side crypto with a server authenticator • Relying on client side crypto to protect client side information Well Actually
  • 18. Syncing • Support RemoteStorage.io • Self-hosted remote storage similar to dropbox
  • 19. Laverna Installation • Clone repository: git clone git@github.com:Laverna/laverna.git • Switch to stable version git checkout 0.5.0 • Install dependencies: npm install && bower install • Build minified version: grunt build • Build Dependencies: node.js, bower, grunt.
  • 20. Operating Environment • Can host on any web server because crypto is on the client • Does not require PHP or programming environment • If remotely hosted, should be done over HTTPS • Github provides easy hosting over https for free • Can also run on your own computer
  • 21. Wait have I done a demo yet? https://laverna.cc/index.html#notes
  • 22. Here’s a diagram of something Laverna Etherpad Evernote License GPL GPL No Storage RemoteStorage, Dropbox None Sync with evernote Encryption PBKDF2 (AES) None (SSL with plugin) SSL + magic? Software JavaScript: Node.js, bower, grunt JavaScript Collaboration Not Realtime Yes Supports sharing Subfolders Infinite None Only 1 subfolder allowed Stored Format Json Export supports PDF, Word, and many other formats
  • 23. Conclusion • Fuck the cloud • Use laverna • Use markdown • Use PBKDF2 • Use RemoteStorage.io (remotestorage.0wn.su?)