Online tool to format private key. - SAMLTool.com

The importance of being mindful of security at all times - nearly everyone is one breach away from total disaster

This is a long one - TL;DR at the end!

If you haven't heard yet: BlankMediaGames, makers of Town of Salem, have been breached which resulted in almost 8 million accounts being leaked. For most people, the first reaction is "lol so what it's just a game, why should I really care?" and that is the wrong way to look at it. I'd like to explain why everyone should always care whenever they are part of a breach. I'd also like to talk about some ways game developers - whether they work solo or on a team - can take easy steps to help protect themselves and their customers/players.
First I'd like to state that there is no practical way to achieve 100% solid security to guarantee you'll never be breached or part of a breach. The goal here will be to get as close as possible, or comfortable, so that you can rest easy knowing you can deal with problems when they occur (not if, when).

Why You Should Care About Breaches

The sad reality is most people re-use the same password everywhere. Your email account, your bank account, your steam account, your reddit account, random forums and game websites - you get the idea. If you haven't pieced it together yet the implication is that if anyone gets your one password you use everywhere, it's game over for you - they now own all of your accounts (whether or not they know it yet). Keep in mind that your email account is basically the holy grail of passwords to have. Most websites handle password changes/resets through your email; thus anyone who can login to your email account can get access to pretty much any of your accounts anywhere. Game over, you lose.

But wait, why would anyone want to use my password? I'm nobody!

It doesn't matter, the bad guys sell this information to other bad guys. Bots are used to make as much use of these passwords as possible. If they can get into your bank they might try money transfers. If they get into your Amazon account they might spin up $80,000 worth of servers to mine Bitcoin (or whatever coin is popular at the time). They don't care who you are; it's all automated.
By the way, according to this post (which looks believable enough to be real) this is pretty much how they got into the BMG servers initially. They checked for usernames/emails of admins on the BMG website(s) in previous breach dumps (of which there are many) and found at least one that used the same password on other sites - for their admin account!
If you want to see how many of your accounts are already breached check out Have I Been Pwned - I recommend registering all of your email addresses as well so you get notified of future breaches. This is how I found out about the Town of Salem breach, myself.

How You Can Protect Yourself

Before I go into all the steps you can (and should) take to protect yourself I should note that security is in a constant tug of war with convenience. What this means is that the more security measures you apply the more inconvenienced you become for many tasks. It's up to you to decide how much is too much either way.
First of all I strongly recommend registering your email(s) on https://haveibeenpwned.com/ - this is especially important if your email address is associated to important things like AWS, Steam developer account, bank accounts, social media, etc. You want to know ASAP when an account of yours is compromised so you can take steps to prevent or undo damage. Note that the bad guys have a head start on this!

Passwords

You probably need to have better password hygiene. If you don't already, you need to make sure every account you have uses a different, unique, secure password. You should change these passwords at least once a year. Depending on how many accounts you have and how good your memory is, this is your first big security vs convenience trade-off battle. That's easily solved, though, by using a password manager. You can find a list of password managers on Wikipedia here or you can search around for some comparison articles.
Some notable choices to consider:
Regardless of which one you choose, any of them is 100x better than not using one at all.

Multi-Factor Authentication / Two-Factor Authentication (aka MFA / 2FA)

The problem with all these passwords is that someone can still use them if they are found in a breach. Your passwords are only as strong as the website you use them on. In the case of the BMG breach mentioned above - all passwords were stored in an ancient format which has been insecure for years. It's likely that every single password in the breach can be reversed/cracked, or already have been. The next step you need to take is to make it harder for someone else to login with your password. This is done using Multi-Factor Authentication (or Two-Factor Authentication).
Unfortunately not every website/service supports MFA/2FA, but you should still use it on every single one that does support it. You can check which sites support MFA/2FA here or dig around in account options on any particular site. You should setup MFA/2FA on your email account ASAP! If it's not supported, you need to switch to a provider that does support it. This is more important than your bank account! All of the big email providers support it: GMail, Outlook.com, Yahoo Mail, etc.
The type of MFA/2FA you use depends on what is supported by each site/service, but there is a common approach that is compatible on many of them. Most of them involve phone apps because a phone is the most common and convenient "thing you have" that bad guys (or anyone, really) can't access easily. Time-based One-time Password or TOTP is probably the most commonly used method because it's easy to implement and can be used with many different apps. Google Authenticator was the first popular one, but it has some limitations which continue the security vs convenience battle - namely that getting a new phone is a super huge chore (no backup/restore option - you have to disable and setup each site all over again). Many alternatives support cloud backup which is really convenient, though obviously less secure by some measure.
Notable choices to consider:
Some sites/services use their own app, like Blizzard (battle.net) and Steam, and don't allow you to use other ones. You will probably have a few apps on your phone when all your accounts are setup, but it's worth it. You'll definitely want to enable it on your password manager as well if you chose a cloud-based one.
Don't forget to save backup codes in an actual secure location! If you lose your backup codes and your auth app/physical key you will be locked out of accounts. It's really not fun recovering in that situation. Most recommendations are to print them and put in a fireproof safe, but using some other secure encrypted storage is fine.
There is such a thing as bad MFA/2FA! However, anything is at least better than nothing. A lot of places still use SMS (text messaging) or e-mail for their MFA/2FA implementation. The e-mail one has the most obvious flaw: If someone gets into your email account they have defeated that security measure. The SMS flaws are less obvious and much less likely to affect you, but still a risk: SMS is trivial to intercept (capture data over the air (literally), clone your SIM card data, and some other methods). Still, if you're not a person of interest already, it's still better than nothing.

What Does This Have To Do With GameDev?

Yeah, I do know which subreddit I'm posting in! Here's the section that gets more into things specific to game development (or software development in general).

Secure Your Code

Securing your code actually has multiple meanings here: Securing access to your code, and ensuring your code itself is secure against exploitation. Let's start with access since that's the easier topic to cover!
If you're not already using some form of Source Control Management (SCM) you really need to get on board! I'm not going to go in depth on that as it's a whole other topic to itself, but I'll assume you are using Git or Mercurial (hg) already and hosting it on one of these sites (or a similar one):
First, ensure that you have locked down who can access this code already. If you are using private repositories you need to make sure that the only people who have access are the people who need access (i.e. yourself and your team). Second, everyone should have strong passwords and MFA/2FA enabled on their accounts. If 1 person on the team does not follow good security practices it puts your whole project at risk! So make sure everyone on the team is following along. You can also look into tools to do some auditing and even automate it so that if anyone's account becomes less secure over time (say they turned off MFA one day) they would automatically lose their access.
Additionally you should never commit secrets (passwords, API keys, tokens, social security numbers, etc) to your code repository. Probably 90% of cases where people have their AWS/Google Cloud/Azure accounts compromised and racking up huge bills for bitcoin mining is due to having their passwords/keys stored in their git repo. They either accidentally made it public or someone got access to the private repo through a compromised account. Never store sensitive information in your code repository!
Next topic: Securing your code from vulnerabilities. This one is harder to talk about for game dev as most engines/frameworks are not as susceptible (for lack of a better word) to these situations as others. In a nutshell, you need to keep track of the following:
A lot of these things cannot be solved automatically, unfortunately, but some of it can. If you are using Javascript for your game you likely will be using packages from npm - luckily they (recently) added security auditing for packages. For other languages you can look at tools like Snyk or some other alternatives to audit the libraries you use in your project. Unfortunately none that I know of are aimed at game dev in particular, but it's still important to use these tools when you can. In general, be aware of all of your code dependencies and what impact they can have on your game or your customers if there are security bugs. Impact can range from "can cheat in multiplayer" to "can get IP addresses of all players in the world" or even "can get all information I ever put on my server", etc.
In general you'll want to look into Secure Software Development Lifecycle (commonly SDLC) practices. Microsoft has some information on how they do it.

Secure Your Computer

I'm not going to go in depth on this one because at this point everyone should have a handle on this; if not there are limitless articles, blogs, and videos about the how/what/why. In summary: Keep everything updated, and don't open suspicious links.

Secure Your Website

I will have to add more to this later probably, but again there are tons of good articles, blogs, and videos on these topics. Hopefully the information in this section is enough to get you on the right track - if not feel free to ask for more info. Lots of guides can be found on Digital Ocean's site and they are relevant even if you don't use DO for your servers.
A lot of this will apply to your game servers as well - really any kind of server you expect to setup.

That's it, for now

I ran out of steam while typing this all up after a couple hours, but I may revisit it later to add more info. Feel free to ask any questions about any of these topics and I'll do my best to answer them all.

TL;DR (y u words so much??)

... in general... in general... in general... I sure wrote those 2 words a lot.

Why Should I Trust This Post?

Hopefully I have provided enough information and good links in this post that you can trust the contents to be accurate (or mostly accurate). There is certainly enough information to do some searches on your own to find out how right or wrong I might be about these things.
If you want my appeal to authority answer: I've been working at a major (network/computer) security company for almost 7 years as a software developer, and I've had to put up with pretty much every inconvenience brought on by security. I've also witnessed the aftermath of nearly every type of security failure covered in this post, via customers and the industry at large. None of the links I used are related to my employer or its products.
Edit: Fixed some typos and added some more links
More edit: added a few more points and links
submitted by exoplasm to gamedev [link] [comments]

05 Exporting & Importing Private Keys Bitcoin Wallet Hack! A program that searches for the ... Electrum private Keys importieren - YouTube Import a private key to blockchain.com - the most understandable instruction Import SSH Private Key in FileZilla - YouTube

The private key is a separate file that’s used in the encryption/decryption of data sent between your server and the connecting clients. A private key is created by you—the certificate owner—when you request your certificate with a Certificate Signing Request (CSR). The Certificate Authority providing your certificate (such as DigiCert ... Initially, I had a problem with creating a site within FileZilla as I needed to use a private key to log in to the server, but there wasn't any option listed for logging in with a keyfile. As per this answer I was able to add a keyfile, but I noticed that the site that I created originally hadn't been saved. When I went to create another site ... Format a Private Key. Sometimes we copy and paste the X.509 certificates from documents and files, and the format is lost. With this tool we can get certificates formated in different ways, which will be ready to be used in the OneLogin SAML Toolkits. Apparently, if you create a PKCS8EncodedKeySpec from a PKCS#8-encoded EC private key which also contains the public key, BouncyCastle will be kind enough to internally keep a copy of the encoded public key and write it back if you decide to reencode the private key in PKCS#8 format. However, it does nothing else with it; it handles it as an opaque blob. Once you have generated the certificate, and chosen where to save it, FileZilla will auto fill in the private key file, and the certificate file fields to point to the generated certificate. At this point, you can either choose to allow FTP over TLS if the user opts, or you can force them to always use FTP over TLS, and not allow them to connect if they do not use it. PROT P refers to the data ...

[index] [16796] [1762] [27811] [3691] [8136] [20575] [1587] [17146] [29624] [31993]

05 Exporting & Importing Private Keys

Import a private key to blockchain.com - the most understandable instruction #Import private key #bitcoin private Keys (Bitcoins, z.B. aus Armory oder Bitcoin Core) in die Electrum Wallet importieren. Forum: https://www.coinforum.de/ Bitcoin kaufen: https://www.b... Learn how to Import and Export the private key in the Bitcoin-Core Wallet and bitcoind.exe and bitcoin-cli.exe If you need to import a private key, you also do this from the console area. You’ll need to unlock the wallet like we did previously, then type importprivkey , space, then the private key. An illustration of how to import/recover private key of different coins using the required software Contact expert for softwares to help you out on this issu...

#