david wong

Hey! I'm David, a security consultant at Cryptography Services, the crypto team of NCC Group . This is my blog about cryptography and security and other related topics that I find interesting.

Procrastination

posted April 2014

Procrastination

I've read a LOT of stuff about procrastination. I have techniques:

I think those are all my techniques, I can't really think of any others.

2 Ideas

A few months ago I started counting my calories intake, and I lost weight! It's magic. As soon as you start counting the bad stuff, you realize how much you're doing of it. I've had this idea for quite a long time, a slack counter, that times how long you slack per day. It compares that to the average. I don't know how to implement that, but a cellphone app would be the best suited I think. We always carry it, so we just have to launch the app and start a timer when we procrastinate. This + a firefox/chrome app that recognizes websites that are "time consumer" to add to your statistics. I'm sure that would help me work more!

When I'm really in trouble, and I can't seem to get motivated, I always take my iPod out and start a 30 minute timer. I do that, and then I find something to work on, anything, and I don't have to be efficient or know right away how I'm gonna work on it. I just have to do it, non-stop, to focus for just 30 minutes. And when the timer stops, I'm usually motivated enough to either keep going, or take a small break and start a bigger timer. I had the idea of implementing a 30 minute timer + a chain system, everyday you can start this 30 minute timer once and if you do work non-stop for 30 minutes while it runs, you will validate a day. Try validating the most days in a row!

Other techniques ?

This article brings 3 good points:

There are two ways to look at any task. You can do something because you see it as a way to end up better off than you are now – as an achievement or accomplishment. As in, if I complete this project successfully I will impress my boss, or if I work out regularly I will look amazing. Psychologists call this a promotion focus

when we say things like “I just can’t get out of bed early in the morning, “ or “I just can’t get myself to exercise,” what we really mean is that we can’t get ourselves to feel like doing these things.

Making an if-then plan is more than just deciding what specific steps you need to take to complete a project – it’s also deciding where and when you will take them.
If it is 2pm, then I will stop what I’m doing and start work on the report Bob asked for.

You have to let go

This article helped/helps me a lot. Every time I fall into a procrastination period (because it's a disease you'll have to live with for the rest of your life :D), I read that article.

I hadn’t figured out the skill that would save me from the procrastination.
Until I learned about letting go.

Learn from the pro

Katia Verresen is a "Mental Energy coach" for CEOs and founders. Here's a nice article about her and interesting stuff she has to say about being efficient, in the zone.

Verresen is a big fan of a tactic called “calendar blocking,” and she encourages her clients to identify the chunks of time on their calendars when they have the most physical energy for work.

The mood you wake up in is critical. Consider it to be the default font for your entire day.

For a marathon runner, people say that the day before and the day before that are the most important. If you mess up with your sleep one day, you'll feel the consequences until two days after.

Verresen actually tells her clients that if they haven’t gotten enough sleep, they shouldn’t take their emotions seriously the next day.

“Mental energy is the ability to separate yourself from your thoughts,” Verresen says. “Everyday, we have millions of thoughts that cause stress, anxiety, depression — that can stall you out in a million different ways — but you don’t have to believe them.”

“The best way to reset your mental energy is to get it up and out into the physical world,” Verresen says. “Screens don’t count. You should put whatever it is that’s bothering you or that you need to get done up on a white board. Write it down and stick it up on a wall.

I sometime stop what I'm doing to do the dishes. It clears my mind.

Verresen advises her clients to block off two slots ranging between 90 minutes to 2 hours every week as mental white space. They need to literally put it on their calendar and make sure they aren’t interrupted or disturbed during this time — ideally they shouldn’t have meetings right afterwards either.

I do this by doing my laundry. I take a paper and a pen with me and I go do my laundry for an hour.

comment on this story

Gröbner basis on numb3rs

posted April 2014

It doesn't seem to be the only appearance of the Gröbner basis on the show:

In the Season 4 opening episode 'Trust Metric' (2007) of the television crime drama NUMB3RS, math genius Charlie Eppes mentions that he used Gröbner bases in an attempt to derive an equation describing friendship.

From wolfram alpha

comment on this story

An awesome explanation of the Fourier Transform

posted April 2014

I've run into this über cool explanation of the Fourier Transform thanks to mtodd's blog

Here's a bit from the introduction:

What does the Fourier Transform do? Given a smoothie, it finds the recipe.
How? Run the smoothie through filters to extract each ingredient.
Why? Recipes are easier to analyze, compare, and modify than the smoothie itself.
How do we get the smoothie back? Blend the ingredients.

And cool examples of what can be done with the Fourier Transform:

  • If earthquake vibrations can be separated into "ingredients" (vibrations of different speeds & strengths), buildings can be designed to avoid interacting with the strongest ones.
  • If sound waves can be separated into ingredients (bass and treble frequencies), we can boost the parts we care about, and hide the ones we don't. The crackle of random noise can be removed. Maybe similar "sound recipes" can be compared (music recognition services compare recipes, not the raw audio clips).
  • If computer data can be represented with oscillating patterns, perhaps the least-important ones can be ignored. This "lossy compression" can drastically shrink file sizes (and why JPEG and MP3 files are much smaller than raw .bmp or .wav files).
  • If a radio wave is our signal, we can use filters to listen to a particular channel. In the smoothie world, imagine each person paid attention to a different ingredient: Adam looks for apples, Bob looks for bananas, and Charlie gets cauliflower (sorry bud).
comment on this story

Diffie-Hellman, ElGamal and RSA

posted April 2014

I'm in holidays for a week, easter I think, anyway, I didn't know what to do so I coded the Diffie-Hellman handshake, the ElGamal cryptosystem and the RSA cryptosystem in python.

You can check the code on github here: github.com/mimoo/crypto_studies

Check the tests.py file to see how the classes are used. Here's an extract:

"""Testing Diffie Hellman
"""
# 1. BOB
bob = DiffieHellman()
# G and g are generated automatically
print("G is a group mod %i and of order %i, and the generator g is %i" % (bob.G[0], bob.G[1], bob.g))
# We generate a secret and a public key
bob.generate_secret()
bob.generate_public()

# 2. ALICE
# We already know G and g
alice = DiffieHellman(bob.G, bob.g)
# We generate the secret key and the public key
alice.generate_secret()
alice.generate_public()

# 3. WE CREATE THE SHARED KEY
bob.generate_sharedkey(alice.publickey)
alice.generate_sharedkey(bob.publickey)
# Bob and Alice now have the same _sharedkey and the same public (G, g)

As the README says, it might be oversimplified and not totally correct. I mostly did that to do something in Python and also try to memorize how those systems work.

I've also done a lot of Unity this week-end. And also a bit of WxPython but I don't really like it. I think I should focus on QT and C++.

comment on this story

How hard is it to find an internship?

posted April 2014

I've been looking for a summer internship and I haven't really found anything sor far. Although I've had some interviews with some start ups from the Silicon Valley (including TrueVault that really seemed like a good fit for a cryptographer in progress like me :D). But I've been unlucky so far since they're pretty busy, it's demo day-time for those applying to ycombinator there.

Anyway I still have 4 months of holidays this summer and I'm wondering what I'll do if I can't find anything in Mountain View (n_n I really want to go there).

If you know someone, or are interested in a passionate coder and eager learner, you can take a look at my resume here and rush to contact me before someone else does :)

Otherwise I'll spend more time coding personal projects and writing this summer (by the way, Korben, a famous influential blogger in France has written about me and my application 3pages.fr in a blog post. Huge amount of traffic in a few hours, 600 people signing up in a day. I envy his traffic.)

cv

comment on this story

NAT with iptables : super fast tutorial

posted April 2014

So I know how to use iptables, I know what a NAT is, but I don't want to learn how to exactly do it. Misery... I have to learn how to do it because I have an exam that will probably ask me how to do it in a few days. So I've been looking for a super simple tutorial, a 1 minute tutorial, on how to setup a NAT configuration with iptables in 1 minute. Couldn't really find it so here it is, if this is somewhat useful for someone, you're welcome.

First Step

For NAT to work, you have to allow forwarding on your server. Easy peasy:

$ echo 1 > /proc/sys/net/ipv4/ip_forward 

Also, before adding new iptables rules, be sure to check what rules you already have

$ iptables -L

you should allow some forwarding for it to work (if the policy is default to DROP). But this not a tutorial about iptables.

Static

I have a server with:

  • eth0 connected to the network

  • eth1 connected to internet

Let's modify the PREROUTING part. Traffic coming from internet on our public address (@pub) and trying to reach our machine:

$ iptables -t nat -A PREROUTING -d @pub -i eth0 -j DNAT --to-destination @priv

Let's modify the table nat, append a rule to the pretrouting section : something is trying to reach @pub ? Let's put it in our input interface eth0, jump to the Destination Nat protocol, which tells us to send the packet to @priv.

Now Let's modify the POSTROUTING part. Traffic coming from inside our network and trying to reach something, somewhere on internet:

$ iptables -t nat -A POSTROUTING -s @priv -o eth1 -j SNAT --to-source @pub

If the packet is coming from @priv, let's put it on our output interface eth1 and jump to the Source Nat Protocol that will modify the packet so it has the public address (@pub) as source.

Here! You did it. One private IP address mapped to one public IP address.

Dynamic

Same kind of configuration but now we have several private addresses and only one public address.

$ iptables -t nat -A POSTROUTING -s @priv/mask -j MASQUERADE

We can modify every packets coming from the subnetwork @priv to get masqueraded.

$ iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Or we can just tell all the network to get masqueraded.

And this is it. No PREROUTING Needed.

Again, you're welcome ;)

2 comments

Exams

posted April 2014

We've been a group of 4-5 students spending each nights at the Crémi these few last days, this building of three floors where each floor has around 10 rooms full of computers.

We work, we eat, we play, and we crash each other computers.

There are a bunch of games installed on every computers but we mostly play SauerBraten, a quake-like.

sauerbraten

My 15-year-old self would have spent most of his days here playing, if only he knew that his future campus would have such a sacred place :)

How do we crash each other computer? We just ssh into their machine and launch a fork bomb:

 :(){ :|:& };:

It operates by defining a function called ':', which calls itself twice, once in the foreground and once in the background.

comment on this story

Fast Fourier Transform

posted April 2014

So, I've learned about Fourier every year in my bachelor of Mathematics and I'm learning about the efficient algorithm dealing with the Fourier Transform in my class of Algebra right now.

I found a really nice video explaining really quick what it is, concretely.

Here's wikipedia way of showing that fourier made by LucasVB, this crazy guy doing all those math gifs you've probably seen before :) more here

There's also a visualization in d3.js here: http://bl.ocks.org/jinroh/7524988

comment on this story

Just learn Vim

posted March 2014

The editor I'm using the most is Sublime Text 3. It's just super easy to use and super useful when you combine it with the right plugins and snippets.

But I love switching editors. I've used Frontpage, Dreamweaver, PHP Designer, Netbeans, Notepad++... and others I can't remember. I've recently tried the beta of Light Table and Brackets (that is truly amazing!), and I am eagerly waiting for Atom the open source IDE of github.

I also love spending time with Emacs. It's hard to master but I dig the "you don't need a mouse" aspect. One thing I found really annoying though is that most software use Vim by default. Wanting to master emacs, I didn't want to spend time learning Vim as well and I started tweaking the settings so that software X would use emacs by default. And that works well until... But then you run into some complications, for example I'm still trying to figure out how to do a git diff with emacs, or you run into a machine without emacs, and then it's either nano, which is shitty, or something else that is installed on the machine... and vim is (almost?) always installed by default.

So I decided to just learn Vim. And it was actually easier than it sounded and I feel like I'm going to avoid a lot of headaches now. Sometimes it's better to learn and adapt rather than try to use our own tools.

And if you're like me, you'll actually have a lot of fun learning vim :)

comment on this story

Hashes, MACs, Signatures

posted March 2014

I was very confused when I was introduced to signatures and macs because I thought they were just Hashes. I got to understand what it was and... it's actually super simple.

Here's a great explanation on the crypto stackexchange but here's mine:

  • I have a huuuge message that I want to transfer to a friend. I'm scared some of the words would change during transit. Solution? I just hash it and send the hash with the message. hash = Hash(message). A hash is pretty small (for example a md5 hash is 32 characters) so it's no trouble. My friend then receives the message and the hash, he can Hash(message) it and see if it gives him the same hash. If it doesn't then he knows that the message was changed and he can ask me for a new copy.

You can also call that an unkeyed hash, simply because it doesn't use a key. You just apply the algorithm to the message, no other arguments are given to the hash function.

  • Okay now, We had some problems because some bad guy has sent numerous bad messages to my friends pretending he was me. I still want to hash my message but I also want to tell my friend it was me who wrote it. So, like a symmetric cipher, I generate a key that I share with my friend. And I hash my message with that key Hash = HMAC(key, message). My friend can now hash it with the same key when he receives the message and see that we have the same hash.

We just used a (symmetric) keyed hash or a HMAC (Hash-based message authentication code). Note that we could have used a MAC based on a Cipher as well (CMAC).

  • So me and my friend have been writing many messages to a community of coders. We want to sign each messages with our name, but that's not enough, another bad guy is posting bad stuff signed with our names on different websites. So let's use a Hash that people can verify, like an asymmetric cipher, we generate both a secret key and a public key, we hash the message with our secret key and we post the message, the hash and the public key. Hash = Sign(secret_key, message). People can then verifiy that Hash with the public key. Voila ! We just used a Signature or how I like to call them a asymmetric keyed hash. It allows for integrity of data, thanks to the hash, authentification of the authors, thanks to the secret key (this is a MAC), non-repudiation thanks to the public key (and now we have a signature).

So if you got it right, Hash < Mac < Signature. They're all useful and you should use the one relevant according to the context.

I'll just copypasta the table on the stackoverflow answer, because it's a real nice summary:

Cryptographic primitive | Hash |    MAC    | Digital
Security Goal           |      |           | signature
------------------------+------+-----------+-------------
Integrity               |  Yes |    Yes    |   Yes
Authentication          |  No  |    Yes    |   Yes
Non-repudiation         |  No  |    No     |   Yes
------------------------+------+-----------+-------------
Kind of keys            | none | symmetric | asymmetric
                        |      |    keys   |    keys
comment on this story