david wong

Hey ! I'm David, a security consultant at Cryptography Services, the crypto team of NCC Group . This is my blog about cryptography and security and other related topics that I find interesting.

Hack Summit November 2014

The next Hack Summit will happen entirely online and will start on December the 1st.


You can get a free ticket by posting it on twitter/facebook.

An amazing line up of people will be giving talks: David Heinemeier Hansson (creator of Ruby on Rails), Tom Chi (creator of Google Glass), Hakon Wium Le (creator of CSS), Bram Cohen (creator of Bittorrent), Brian Fox (creator of Bash), Hampton Catlin (creator of Sass and Haml), and many more interesting persons and even....... Jon Skeet (#1 answerer on StackOverflow). This is gonna be huge!

comment on this story

Pseudo Random Number Generators using a block cipher in CTR mode November 2014

I was wondering why Randomized Algorithm were often more efficient than non-randomized algorithm.

Then I looked at a list of random number generators (or RNG).

Of course we usually talk about PRNG (Pseudo Random Number Generator) since "truly random" is impossible/hard to achieve.

An interesting thing I stumbled into is that you can create a PRNG using a block cipher in counter mode, by iterating the counter and always encrypting the same thing, if the block cipher used is good, it should look random.

This sounds solid since ciphers sometimes need to have Ciphertext Indistinguishability from random noise.

To support such deniable encryption systems, a few cryptographic algorithms are specifically designed to make ciphertext messages indistinguishable from random bit strings

Also under the Ciphertext indistinguishability property that a cipher should respect, you shouldn't be able to find any relations between the ciphertexts coming from the same input but encrypted with an increasing counter.

comments (1)

MicroCorruption November 2014


MicroCorruption is a "game" made by Matasano in which you will have to debug some programs in assembly. There is a total of 19 levels and it gets harder and harder by the number. The first levels are made for beginners though! So it seems like a great tool to learn, and that's what our prof Emmanuel Fleury must have thought when he gave us this as homework. One rule: every level is worth one point.

I started writing the solutions here but as people told me "it was unethical to post solutions of a challenge online", I promptly removed them. If someday the challenge will shut down I will post the write ups online so that people can still learn from it :)

comment on this story

Elliptic Curves October 2014

I feel like I don't write much about my formation, and that it could be useful to people who are wondering about studying Cryptography at Bordeaux University.

There is a good article from a M1 student here: http://journaldumaster.stats.yt/master-csi-presentation/

And as it says there, the master 1 is do-able both for maths and CS people as long as you're willing to catch up in the other subject. There's a lot of theory that will allow you to study more interesting subjects in the second year of Master.

I've talked about some of the subjects but one subject I forgot to talk about was a M1 class: Elliptic Curves, taught by Fabien Pazuki and if you have the chance of taking a class from the guy just do it. He's one of the best math teacher I have had in my life, along with Vincent Borrelli (Surfaces & Curves at Lyon 1) and some dude I can't remember the name of. Each one of them were both really passionate and making true efforts to be pedagogical.

comment on this story

Hack of the Day: How do I run untrusted shell code? October 2014

I've run into a nice series of video called "hack of the day" from Vivek-Ramachandran.

In this first video he explains two techniques :

  • jump-call-pop
  • xor decoding

I also got nice tips like the examining string function in gdb : x/s $ebx or the folder usr/include/asm that contains plenty of information about assembly.

The full playlist can be found on securitytube.net

comment on this story

POODLE: new attack on SSL October 2014

A new attack on SSL 3.0 has been discovered. It's relevant because most browsers (except for Opera) allow a downgrade to SSL 3.0 if it cannot seem to use newer versions. Of course an attacker could disturb the connection and force someone to use SSL 3.0 in order to use the POODLE attack.

Full and clear explanation here

You might want a reminder of what is CBC to read it:


tl;dr: attack happens because of the way padding works in CBC in SSL 3.0

comment on this story

Erasmus & Korean October 2014

A new year starting means new erasmus coming. And this year I've done things a bit differently, instead of just meeting the newcomers I've joined the Erasmus association of Bordeaux "Inter'action Bordeaux" and I've helped them organized many events. Parties of course but also some really cool stuff like:

  • A welcome erasmus week-end in a camping next to the Sanguinet lake (and for the first time of my life I slept on the beach! Not really comfy).

sanguinet lake erasmus week end interaction bordeaux

sanguinet lake erasmus week end interaction bordeaux

  • The Feria of Bordeaux, and no worries, no animals were injured, it was more like a silly cow running around people :)

feria bordeaux

feria victoire

Aside from participating in this new adventure, I've also started taking Korean classes at the same place where I was taking russian classes last year. And I already learned how to write/read korean. It's actually not that hard at all and if you have a few hours to spare you could learn it too :)


I forgot that I also spent quite some time learning Romanian on Memrise this summer and I fell in love with Memrise again. I was actually the first of many romanian classes rankings for many weeks.

comment on this story

Here we go again September 2014

So here's to a new school year in Bordeaux. My initial plan was to do my first year in Bordeaux and do my second year in Rennes. I liked Bordeaux so much that I decided to stay here instead, for better or worse.

First, I found a new place. It's way better than my last place (which was really, really bad). And I couldn't have asked for a better location. I'm right in the middle of everything. Bordeaux is small enough that I basically have to walk less than 5 minutes to go to restaurants, shops, supermarkets, the laundry, my friends, etc... Life is easy :)

my place

A few weeks ago an article has been written about my website 3pages in Telerama (a nationwide paper). It's small but that's something :)


Also I started classes last week. But I'll make another post about that!

comment on this story

Slim August 2014

I talked about Slim the other day. I wanted to do a similar project not so long ago that I would have called weblang.

I first thought about an indented language with no symbols to declare html elements. Something like that:

  a 'more info' href: 'http://www.google.com'
    hey !

But then I thought, how will I distinguish markups from text. If I want to write ul without it being translated to <ul></ul>, how do I do that?
And if I want to write several lines of text, will I have to indent them all the time ?

That's why I quickly thought the language would need brackets and a symbol to distinguish markup from plain text (I used $).

Slim is somehow what I had imagined at the beginning and it's working!

The above example in Slim would be written as such:

  a href="http://www.google.com" more info
    | hey !

Not so far from what I had in mind :)

If you're not convinced yet, try this html to Slim conversion app on a heavy html page of yours that you can't really understand anymore and you'll see how amazing it is!

comment on this story

Unit Tests in Rails August 2014

I've heard about unit test. They seems to be extremely important for a crypto application, but for a web app? Do I really need them?

mimoo: Hey I'm beginning with Rails, should I worry about unit test yet?
eladmeidar: tests are always important, in fact, it's more important than anything else
mimoo: it seems so boring though
fowlduck: don't bother with tests if you don't want to
fowlduck: remember to be conscious of frustration in pain while you develop, though, and try to figure out ways to avoid it later
fowlduck: you will almost certainly eventually feel frustration due to lack of tests
fowlduck: but wait until you feel it, if you want to
fowlduck: it's a good pain to feel. you don't quickly forget it
fowlduck: I like grapes
eladmeidar: i like grapes too

(extracts from #RubyOnRails on freenode)

comment on this story