feat: task b done

sheet03/a1/a.txt

@@ -0,0 +1,98 @@
+1.
+positives:
+- The password is very hard to guess / bruteforce
+- There are no physical ways to obtain the password except for hacking one of the services where you have an account
+- You don't have to remember a lot and the effort is low compared to other methods
+
+negatives:
+- If one service gets hacked and your password is found out, all your accounts are compromised
+- If you forget your password, you don't have a good recovery method for your account (unless the service provides one)
+- Even though your password is pretty strong, you are still a pretty easy target
+
+2.
+positives:
+- The password is very hard to guess / bruteforce
+- There are no physical ways to obtain the password except for hacking one of the services where you have an account
+- You don't have to remember a lot and additionally to 1 only the method you're using (that you append the first letter of every service to it)
+
+negatives:
+- If one service gets hacked and your password is found out, getting into other accounts is harder than 1, but still pretty easy if they figure out your method
+- If you forget your password, you don't have a good recovery method for your account (unless the service provides one)
+- Even though your password is pretty strong, you are still a pretty easy target (although a tougher one than 1)
+
+3.
+positives:
+- Your passwords are very hard to guess / bruteforce
+- If one of your accounts gets hacked, none of your others compromised
+- You don't have to remember a lot, except for the secure place / the means to get to the secure place
+
+negatives:
+- If someone finds and steals your password book, you don't have any means of getting your accounts back
+- If you need to access your passwords from somewhere where you don't have access to your password book, you can't log into any of your accounts
+- Keeping the password book around is a huge maintenance burden (compared to 1 + 2 for example)
+
+4.
+positives:
+- Your passwords are very hard to guess / bruteforce
+- If one of your accounts gets hacked, none of your others are compromised
+- You can easily take all of your passwords with you
+
+negatives:
+- If someone finds and steals your USB stick, you don't have any means of getting your accounts back
+- If you need to access your passwords from somewhere where you don't have access to your USB stick, you can't log into any of your accounts
+- Keeping the USB stick around is a little bit of a burden (compared to 1 + 2 for example, 3 is a bigger burden of course)
+
+5.
+positives:
+- Your passwords are very hard to guess / bruteforce
+- If one of your accounts gets hacked, none of your others are compromised
+- Finding all of your passwords is really easy and convenient
+
+negatives:
+- If your PC breaks, you don't have access to any of your passwords anymore
+- If you don't have access to your PC where you need one of your passwords, you can't log into your accounts
+- If you lose any of your passwords, you don't have a proper way of getting them back (like deleting it on accident or something)
+
+6.
+positives:
+- Your passwords are very hard to guess / bruteforce
+- If one of your accounts gets hacked, none of your others are compromised
+- Taking your passwords with you is really easy
+
+negatives:
+- If the service storing your passwords gets hacked (and is not properly protected), all of your passwords could be vulnerable
+- Depending on how you access this password manager, your account may not be so secure
+- You need to keep around an extra password for your password manager (that you need a good strategy for as well)
+
+7.
+positives:
+- Bruteforcing one of your passwords doesn't leak your main password (assuming the password derivation is good)
+- If one of your accounts gets hacked, none of your others are compromised
+- Knowing your main password, means you know all of your passwords (because they are simply derived, they are not unrelated to your main password)
+
+negatives:
+- You need to keep around an extra password for your password derivation service (that you need a good strategy for as well)
+- If your main password is found out, all of your accounts are compromised
+- You are a relatively easy target since all it takes is cracking your main password (and knowing one site you have an account for)
+
+8.
+positives:
+- Your passwords are very hard to guess / bruteforce
+- If one of your accounts gets hacked, none of your others are compromised
+- Finding all of your passwords is really easy and convenient
+
+negatives:
+- If your PC breaks, you don't have access to any of your passwords anymore
+- If you don't have access to your PC where you need one of your passwords, you can't log into your accounts
+- If you lose any of your passwords, you don't have a proper way of getting them back (like deleting it on accident)
+
+9.
+positives:
+- You don't have to remember a lot of passwords
+- If one of your accounts gets hacked (and are unrelated to the password reset method), none of your others are compromised
+- Getting into your accounts is really easy
+
+negatives:
+- If your reset password method gets compromised, you don't have a way of getting back your account
+- Not all services may have a reset password function
+- You are a relatively easy target since all it takes is cracking your reset password method (if it is an email address for example)

sheet03/a1/b.txt

@@ -0,0 +1,3 @@
+A potential strategy is to use a password manager, like Proton Pass, that encrypts all of your passwords when they are uploaded to the cloud. With this approach, you have to remember one password for your password manager and get a really convenient solution that won't break down even if the provider were to be compromised (as in the service itself). With a good recovery strategy like keeping something like a recovery token in a secure place in your house, you can make sure you never lose access to your password manager.
+
+This approach of course has downsides, if the password you use for the password manager is weak, you are still an easy target. Like you would be with 1 or 2, but you would still have a recovery method. Compared to 7 however, you still never have a way of knowing your passwords without authenticating with the provider you're using. On top of that, keeping the recovery token at home makes you vulnerable to physical attacks similar to 3 or 4. These attacks are usually a hard thing to perform though, so I think it's still better than using a cloud password manager or one provided by your operating system.   

sheet03/a2/Auth.java

@@ -0,0 +1,71 @@
+import java.io.Console;
+import java.util.Map;
+import java.util.HexFormat;
+import java.util.stream.Collectors;
+import java.nio.file.Path;
+import java.nio.file.Files;
+import java.security.MessageDigest;
+
+public class Auth {
+    private static final byte[] INVALID_HASH = "----------------------------------------------------------------".getBytes();
+
+    public static void main(String[] args) {
+        try {
+            Map<String, byte[]> passwd = Files.readAllLines(Path.of("passwd"))
+                .stream()
+                .filter(line -> line.indexOf(":") > 1 && line.length() > 3)
+                .collect(Collectors.toMap(
+                    line -> line.substring(0, line.indexOf(':')),
+                    line -> HexFormat.of().parseHex(line.substring(line.indexOf(':') + 1))
+                ));
+
+            System.out.println("Chocolate Factory SCADA Command Line Interface v2.2.144");
+            System.out.println();
+            System.out.println("Please, enter your authentication credentials.");
+            System.out.println();
+
+            Console cons = System.console();
+
+            String username;
+            String password;
+
+            long timeout = 500;
+            while (true) {
+                username = cons.readLine("> Username: ");
+                password = new String(cons.readPassword("> Password: "));
+
+                MessageDigest digest = MessageDigest.getInstance("SHA-256");
+                byte[] encodedHash = digest.digest(password.getBytes());
+
+                // constant time comparison to prevent timing attacks
+                if (MessageDigest.isEqual(
+                    passwd.getOrDefault(username, INVALID_HASH),
+                    encodedHash
+                )) {
+                    System.out.println();
+                    System.out.printf("Welcome %s!%n", username);
+                    Thread.sleep(150);
+                    break;
+                } else {
+                    // exponential timeout to prevent brute force attacks
+                    System.out.println("Incorrect username and/or password.");
+                    Thread.sleep(timeout);
+                    timeout *= 2;
+                }
+            }
+
+            printSystemStatus();
+            printSecretRecipe();
+        } catch (Exception e) {
+            // ignore
+        }
+    }
+
+    private static void printSystemStatus() throws Exception {
+        // TOP SECRET
+    }
+
+    private static void printSecretRecipe() throws Exception {
+        // TOP SECRET
+    }
+}

sheet03/a2/a.txt

@@ -0,0 +1,5 @@
+The Code uses unsalted hashes of the passwords.
+That way there is no random data added to the hashes and it is very easy to find identical hashes using
+pre-computed lookup tables.
+
+Using such a tool we found that the password admin123 has the same hash that is stored for the username admin.

sheet03/a2/b.txt

@@ -0,0 +1,77 @@
+07:46:38 leo@group-20 ~ → cat .ssh/config 
+Host chocolate
+  User chocolate
+  Hostname 10.42.23.1
+
+07:46:13 leo@group-20 ~ → ssh chocolate
+chocolate@10.42.23.1's password: chocolate
+Chocolate Factory SCADA Command Line Interface v2.2.144
+
+Please, enter your authentication credentials.
+
+> Username: admin
+> Password: admin123
+
+Welcome admin!
+
+We are currently clean on OPSEC.
+
+Current System Status:
+ 🏭 Production Line 1:               [🟢 ONLINE] - Idle
+ 🏭 Production Line 2:               [🟢 ONLINE] - Running (Secretly Sweet Chocolate Batch #42)
+ 🏭 Ingredient Hopper (Cocoa):       [🟢 ONLINE] - Level: 85%
+ 🏭 Ingredient Hopper (Sugar):       [🟢 ONLINE] - Level: 92%
+ 🏭 Ingredient Hopper (Milk Powder): [🟢 ONLINE] - Level: 78%
+ 🌡️ Temperature Control System:      [🟢 ONLINE] - Target: 45°C (±0.5°C)
+ ⚙️ Mixing Unit A:                   [🟢 ONLINE] - Standby
+ ⚙️ Mixing Unit B:                   [🟢 ONLINE] - Active
+ 🍫 Molding Machine Alpha:           [🟢 ONLINE] - Ready
+ 🍫 Molding Machine Beta:            [🟢 ONLINE] - Processing
+ 🧊 Cooling Tunnel System:           [🟢 ONLINE] - Target: 10°C (±1°C)
+ 📦 Packaging Unit Delta:            [🟢 ONLINE] - Awaiting Output
+ 🤖 Quality Control Bot v3.2:        [🟢 ONLINE] - Monitoring
+ ⚡ Power Supply:                    [🟢 ONLINE] - Stable
+ 🌐 Network Connectivity:            [🟢 ONLINE] - Good
+ 🔒 Security System:                 [🟢 ONLINE] - Active
+----------------------------------------------------
+✅ ALL SYSTEMS GREEN. Chocolate production is nominal. ✅
+
+
+📝 Recipe for 'Secretly Sweet Chocolate Batch #42
+
+  Ingredients:
+
+  1 'Bargain Bin Chocolate Chunk'
+    (obtained from ... questionable sources)
+  3 'Heaping Spoonfuls of Questionable Granules'
+    (definitely not pure sugar)
+  A splash of 'Mysterious Gloss'
+     (something called vasline, maybe inedible,
+      but it makes things shiny!)
+
+
+  Instructions:
+
+  Acquire the Goods:
+     Locate and 'liberate' the cheapest-looking chocolate
+     you can get from the competition.
+  The Melt Down:
+     Subject the 'Bargain Bin Chocolate Chunk' to intense heat.
+     The goal is a questionable, slightly lumpy liquid.
+  Sweeten the Deal:
+     Introduce the 'Heaping Spoonfuls of Questionable Granules'
+     to the melted chocolate. Stir vigorously (or just shake the
+     container violently). The mixture should become alarmingly
+     sweet.
+  The Glossy Finish:
+     Add a dash of 'Mysterious Gloss.' This will give the product
+     an unsettlingly shiny appearance.
+  Mold it (Sort Of):
+     Pour the concoction into a vaguely bar-shaped container (the
+     packaging of the input chocolate might work?).
+  The Pay Off:
+     Pay tons of influencers to advertise this as the best
+     chocolate they have ever tasted, and price this chocolate
+     at a ridiculous high price!!1! 🤑💰💸
+  
+Connection to 10.42.23.1 closed.

sheet03/a2/passwd

@@ -0,0 +1,3 @@
+admin:240be518fabd2724ddb6f04eeb1da5967448d7e831c08c8fa822809f74c720a9
+alice:57a975ec110f89a7ca6a8c39aec856890b10488006106fb12c3a5fe063b1e7d5
+bob:2a3cc87f95b4363a1e6483d4659671361f86239735d31e8c4a9be893a2427c19