How to get yarn 1.x (1.22) to install private npm packages from GitHub registry

I’ve already looked through a bunch of StackOverflow posts and nothing works.

I have a package, we’ll call it @myorg/some-package. How can I get yarn add to recognize and install this, whether it’s locally on a dev machine, or during a CI/CD process?

private key – HD Wallet with BIP44 – workaround of deriving public keys knowing only a xpub

My goal: I don’t want to require a private key to hierarchically derive new addresses.

Sure, I can create a batch of addresses, given a private key, at first. But once I have surpassed that batch I’ll require the private key again to generate more addresses.

I want to derive addresses knowing only a public key. I know this is possible with BIP39, but understand there can be security concerns involved with this, ie. if an attacker stumbles upon an xpub and xprv they can derive as many addresses as they want and be able to sign transactions using them.

Attempting to derive from a HD public key with BIP44 results in a exception stating a hardened path requires a HD private key. However, I have found a workaround, but I fear it is cheating and might sacrifice the benefits of path hardening in BIP44.

Here’s an example:

// It starts off with a `userCode` that represents a BIP39 Mnemonic code.
const codeUser = new Mnemonic('select scout crash enforce riot rival spring whale hollow radar rule sentence')

// Convert to HD private key...
const hdUserPrivateKey = codeUser.toHDPrivateKey()

console.log(hdUserPrivateKey.hdPublicKey.toString())
// Gives: `xpub661MyMwAqRbcEngoXGfFNahZ5FzSDGqY8pWKTqo6vtXxK15otDNLXJmbeHV7DUjvPc7CAFhYp6hzBiTanr8rgoHPHf6NSgZAyejK5bk8MiW`
// But we won't use it...

// Instead, I can then derive a BIP44 without the `change`, `address_index` segments from `hdUserPrivateKey`...
console.log(hdUserPrivateKey.deriveChild(`m/44'/0'/0'`).hdPublicKey.toString())
// Gives: `xpub6CsrEMgU2f8uEGfFMvsPjKB9ekHuZiesLqSHLwCJuNFkP2uJGm7WjTo2gy95S4KEBc4etdodNQXAvn5Vsf4kupJQ1DKR4DMfcHwKdhQ3k6h`
// This is the xpub I can use to derive addresses without requiring the initial private key.

// So knowing this, I can build a HD public key given that xpub...
const hdPublicKey = Mnemonic.bitcore.HDPublicKey('xpub6CsrEMgU2f8uEGfFMvsPjKB9ekHuZiesLqSHLwCJuNFkP2uJGm7WjTo2gy95S4KEBc4etdodNQXAvn5Vsf4kupJQ1DKR4DMfcHwKdhQ3k6h')

const derivative = 0

// We can derive from it this path, but what is this path defined as? Are we back in BIP39 territory now?
const publicKey = hdPublicKey.deriveChild(`m/0/${derivative}`).publicKey

const address = new Mnemonic.bitcore.Address(publicKey)

console.log(address.toString()) // 12XyHwtmoq5w4VQ5mzcu6BQzdLqCLxUv5e

…and of course, I can increment the derivative as many times as I wish to create new addresses from the public key.

Whenever I wish to sign a transaction…

const codeUser = new Mnemonic('select scout crash enforce riot rival spring whale hollow radar rule sentence')
const hdUserPrivateKey = codeUser.toHDPrivateKey()
const derivative = 0

// BIP 44 derivation path for private key...
const privateKey = hdUserPrivateKey.deriveChild(`m/44'/0'/0'/0/${derivative}`).privateKey

Is this approach valid or am I dodging BIP44 standards?

How to create signature for the payload (data)using private key in java with bitcoinj?

I have private key as ‘cUN9LNcEC54HAbWAwUs6coPSc72TcQYzxf4qSqdHJPVKSapeHzFj’ and payload as ‘hello’, now how to create the signature for this payload using private key in java with bitcoinj library?

public static String createSignature1(String payload) throws NoSuchAlgorithmException {
    ECKey pubKey = ECKey.fromPrivate(publicKeyHash("cUN9LNcEC54HAbWAwUs6coPSc72TcQYzxf4qSqdHJPVKSapeHzFj".getBytes(StandardCharsets.UTF_8)));
    ECKey.ECDSASignature signatureBase64 = pubKey.sign(Sha256Hash.wrap(DigestUtils.sha256(Arrays.toString(payload.getBytes(UTF_8)))));
    Log.info("Signature is : " + signatureBase64);
    Log.info("Base64 encoded Signature is : " + byteArrayToHex(Base64.getEncoder().encode(signatureBase64.encodeToDER())));
    return byteArrayToHex(signatureBase64.encodeToDER());
}

The above code returning invalid signature.

server – How hacker/ others get your SSH private key / stole your SSH private key?

Private keys aren’t any different from any other files, so any way for an attacker to get an arbitrary file from your PC is also a way for them to get your private key – provided it wasn’t encrypted. This includes, but is not limited to:

  • Theft
  • Malware
  • Accidental Disclosure
  • Insecure Storage
  • etc.

Each of these issues must be tackled in isolation, and they may not all be of equal importance. For example, I find it very unlikely that someone would break into my apartment and steal my hard drive – but it is much more likely that my laptop is being stolen when I am travelling.

One thing that is specific to private key is that a lot of even tech-literate people do not know what public-key cryptography is and thus think a private key is “like a password, but it’s a file”. As such, when they are supposed to upload their public key somewhere (which is a legitimate and necessary for the process to work), they sometimes upload their private key instead.

Even advanced users occasionally fall for malware, depending on the situation. For example, a few years ago, a friend sent me a message through steam, just with a link to a file. I downloaded and opened it. Big mistake. This wasn’t because I am somehow stupid (although people who know me would disagree), but because a handful of factors played together: I was busy playing a game, it was late at night and that friend happened to often just send me random links to check out. So it wasn’t any behavior that raised alarm bells for me.

Deploy Virtual Private Server In Under 5 Minute. Swiss-VPS.

Every Virtual Private Servers we offer includes full root access, enabling you to run whatever you wish whenever you want to.
Easy payments methods!
Best Cheap VPS Server for your online resource! What will you choose: VPS or Shared Hosting? High quality Best Cheap VPS Hosting!
Try now, 100% win-win program

VPS Server Features

-Choose VPS Server Location
-ISPmanager or cPanel
-Linux VPS SSH
-SolusVM Control Panel
-Support Quality
-Windows or Linux OS
-Guaranteed Dedicated RAM
-Instant Setup
-Windows VPS RDP


# 1 Cheap hosting PHP, MySQL and FTP sites

Low price and high quality – inexpensive premium hosting exists! Thanks to our cloud hosting technology, today cheap website hosting with MySQL, FTP and PHP offers more features. Let us help you create and run quality websites while saving money. Almost unlimited cheap website hosting. Try our free hosting service if you are still new to website development.

SSD VPS Hosting:swiss-vps.com/ssd-vps-hosting/


SSDVPS2

$9.95/ month
CPU 1хE5-2680
Dedicated RAM 2 GB
Virtualization KVM
Disk Space SSD 20GB
RAID -10 Yes
Setup Fee Free
Bandwidth 2 TB per Month
Port/Uplink 1 Gbit/s
RDP – mstsc.exe Yes
SolusVM Yes
Reboot, Reinstall Yes

SSDVPS4

$19.95/ month
CPU 2хE5-2680
Dedicated RAM 4 GB
Virtualization KVM
Disk Space SSD 30GB
RAID -10 Yes
Setup Fee Free
Bandwidth 4 TB per Month
Port/Uplink 1 Gbit/s
RDP – mstsc.exe Yes
SolusVM Yes
Reboot, Reinstall Yes

Dedicated Server: swiss-vps.com/dedicated-servers/

Server E5-2670

$79/ month
CPU Intel® Xeon E5-2670
Dedicated RAM 16 GB
Disk Space SSD 100GB
IP IP’s 1
Bandwidth 10 TB per Month
Location
Switzerland, Zurich
Port/Uplink 1 Gbit/s

Windows VPS Hosting:swiss-vps.com/windows-vps-hosting/

WinVps1

$11.99/ month
CPU 2хE5-2680
Dedicated RAM 1 GB
Virtualization XEN
Disk Space HDD 25GB
RAID -10 Yes
Setup Fee Free
Bandwidth 1 TB per Month
Port/Uplink 1 Gbit/s
RDP – mstsc.exe Yes
SolusVM Yes
Reboot, Reinstall Yes

WinVps8

$89.99/ month
CPU 2хE5-2680
Dedicated RAM 8 GB
Virtualization XEN
Disk Space HDD 150GB
RAID -10 Yes
Setup Fee Free
Bandwidth 6 TB per Month
Port/Uplink 1 Gbit/s
RDP – mstsc.exe Yes
SolusVM Yes
Reboot, Reinstall Yes

Full list of fares: swiss-vps.co

Our contacts:

Website: swiss-vps.com

.

macos – Track files transferred from unauthorized user on private WiFi

I was hacked yesterday and from what I see, it looks like it was someone who lives with me and shares de wiFi.

Is there a way to find on Mac, where my files were sent to and the device id, type, or something that helps to narrow down the exploiter?

I used this so far:

% history | grep “defaults write” >> ~/Documents/defaultsLog.txt

Thanks!

transactions – p2pkh vs. p2pk keeping public key private

I just got into learning Bitcoin programming through Jimmy Song’s Programming Bitcoin.
Jimmy says that some of p2pkh’s advantages over p2pk include:

  1. a smaller ScriptPubKey

  2. keeping one’s public key private

I completely agree with the first advantage but I’m having a little trouble with the second advantage.

Jimmy explains that, if ECDSA was every broken, one could steal bitcoin from another entity because they could find their public key in the ScriptPubKey (if they were using p2pk) and create a valid signature.

My question is: If all we are doing is moving the public key from the ScriptPubKey to the ScriptSig, what security does that grant us if the ScriptSig is also accessible? If I was to spend a UTXO that was made to my public key hash, my public key would be public. Couldn’t a malicious user who had broken ECDSA keep looking for a UTXO ScriptPubKey with my hash in it, copy my public key from the previous transaction, generate a signature, and steal my bitcoin? It seems to me that my public key is private as long as I don’t spend anything.

Of course, I know I’m missing something 🙂 Any help is appreciated.

git – How to install private npm package using release hosted on GitHub?

Currently, I create a release and add a deploy key on GitHub, then I add an entry to .ssh/config and install the package using the git+ssh protocol.

$ cat ~/.ssh/config
Host react-hashlink
HostName github.com
IdentityFile ~/.ssh/react-hashlink

$ npm install git+ssh://git@react-hashlink:sunknudsen/react-hashlink.git#v0.0.1

This works, but feels like a hack… is there a cleaner alternative?

Estimate the number of host computers on the private network by port scanning

If we have a private network connected to the Internet with NAT, how can an attacker estimate the number of host computers in network using port scanning?
For both possible modes, the attacker inside and outside the private network.