david wong

Hey ! I'm David, a security consultant at Cryptography Services, the crypto team of NCC Group . This is my blog about cryptography and security and other related topics that I find interesting.

塞翁失马 December 2013

ran into that fable, made me think of bitcoins and litecoins.

A farmer had only one horse. One day, his horse ran away. All the neighbors came by saying, “I'm so sorry. This is such bad news. You must be so upset.” The man just said, “We'll see.” A few days later, his horse came back with twenty wild horses following. The man and his son corraled all 21 horses. All the neighbors came by saying, “Congratulations! This is such good news. You must be so happy!” The man just said, “We'll see.” One of the wild horses kicked the man's only son, breaking both his legs. All the neighbors came by saying, “I'm so sorry. This is such bad news. You must be so upset.” The man just said, “We'll see.” The country went to war, and every able-bodied young man was drafted to fight. The war was terrible and killed every young man, but the farmer's son was spared, since his broken legs prevented him from being drafted. All the neighbors came by saying, “Congratulations! This is such good news. You must be so happy!” The man just said, “We'll see.”
comment on this story

Someone Bought A Tesla Using Bitcoin December 2013

Here it is, Lamborghini is now accepting bitcoins and the first purchase was made for a Tesla.

"Lamborghini Newport Beach is proud to announce that we are fully capable of accepting Bitcoin as legal tender for vehicles, We are excited to be opening the door to this new currency."
more info here comment on this story

Have you been pwned? December 2013

HaveIbeenPwned.com is a new website allowing you to check if your mail + password has been leak by some of those famous data breach. It's pretty bad, mine is compromised. Fortunately I use different passwords for different kind of websites. I use a garbage password for websites I don't trust, I use an easy and quick password to type for websites I don't care about, I use complicated password for more important things like my server, my steam account, my gmail account, my facebook account etc... and I regularly change them. comment on this story

What are litecoins? December 2013

WhatAreLitecoins.com is a new website that's looking to get litcoins to the public. The site looks really nice and it makes me want to do something about bitcoins. I think my next project will be a litecoin chart. I wish I had the qualifications to do a litecoin market but security wise and technically wise it seems really difficult at my level. comment on this story

Sheep Market Place creator revealed? December 2013

Apparently things are going pretty bad for one of Silk Road's replacement : http://www.reddit.com/r/SheepMarketplace/comments/1ru2kw/sheep_is_down_admin_blames_user_ebook101_for_scam/" target="_blank">Sheep Market place is scamming its users.

Also, the creator might have been found. I'm not a big fan of posting personal info so I'll just post this http://pastebin.com/raw.php?i=9spTATw6" target="_blank">message

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2 November 2013, I was contacted on IRC by a pseudonymous chatter, "an anonymous security hobbyist". He said he had some information for me if I would swear to keep it secret. I agreed as long as it didn't involve violence like hitmen. He had been impressed by [my bet against Sheep & BMR](http://www.reddit.com/r/SilkRoad/comments/1pko9y/the_bet_bmr_and_sheep_to_die_in_a_year/) and agreed with me that the official Sheep story about `sheepmarketplace.com` was too stupid for words, and wanted to share the info with me. He then told me he had just finished researching Sheep Marketplace and was highly confident that the operator was a Czech programmer by the name of "Tomáš Ji?ikovský", and further, earlier that day he had mailed off his results to the FBI. (He also claimed credit for the BMR & PBF leaks.) After reading through his results, checking some of the links to see if they were as described, agreeing with him that Tomas matches the profile for the Sheep operator uncannily well, and reflecting how stupid I was to not look harder at sheepmarketplace.com because as soon as you see the forum posts where Tomas complains about the problems of running a Bitcoin-using hidden service it's completely obvious that Tomas=Sheep, I suggested he contact Tomas. He declined, saying he didn't want to spook Tomas (he is not a big fan of drugs), although he agreed I could release the results within 7 months. The most I managed to get out of him was permission to [post a cryptographic hash precommitment](http://www.reddit.com/r/SilkRoad/comments/1ptd6b/precommitment_proof_of_knowledge_about_a/): $ echo 'Sheep Marketplace was founded and run by Tomáš Ji?ikovský (random nonce: 19093)' | sha512sum 43a4c3b7d0a0654e1919ad6e7cbfa6f8d41bcce8f1320fbe511b6d7c38609ce5a2d39328e02e9777b339152987ea02b3f8adb57d84377fa7ccb708658b7d2edc - I was as precise as I could be at the time; saying it was a precommitment to Tomas's identity would have clearly breached the agreement. Anyway, I took his notes, made copies of all the webpages linked in, and prepared a single compilation in MAFF format: https://dl.dropboxusercontent.com/u/182368464/2013-11-03-sheepmarketplace-doxxing.maff The basic overview of the findings: 1. Tomas owns the hosting service for the sheepmarketplace.com VPS server. There were very few domains hosted there as well, and he controlled several of them. 2. The site itself seemed to be very closely connected to SMP, using the same basic technologies and possibly a non-public API 3. The official excuse does not wash as sheepmarketplace.com was set up not long after SMP itself 4. Tomas is the earliest known promoter of SMP (1 February 2013), and recommened SMP & BMR over Silk Road (11 April 2013) 5. Tomas is a C++ QT Nette Framework Czech developer who runs Ubuntu, exactly like the SMP developer 6. Tomas has complained about the memory demand of `bitcoind` on a VPS server, and discussed the difficulties of functionality like email from hidden services 7. Tomas or his girlfriend are active users of Tor, as evidenced by screenshots of their computer 8. it's not clear what Tomas's current job is 9. but it is clear that as of October, he was working on an e-commerce site which was having problems with buggy accounting of deposits 10. Tomas posted a .htaccess file which has the same (buggy) functionality as that of SMP 11. He is an accused Bitcoin scammer A few of these could be explained as coincidence. But all of them? At this point, I would rate Tomas as >75% likely to be involved with SMP in some fashion. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iEYEAREKAAYFAlKaXN8ACgkQvpDo5Pfl1oJ+HwCgnQmvBZFTHkzDEHzayEmrTnjB d+oAnjK0a0UFDwg+wAvkDxsjer6w8rXl =tYBY -----END PGP SIGNATURE-----/

poster is http://www.gwern.net/" target="_blank">gwern, http://www.reddit.com/r/SilkRoad/comments/1ptd6b/precommitment_proof_of_knowledge_about_a/" target="_blank">more info on reddit.

comment on this story

Canal discret sans mémoire November 2013

In my quest to better support to learn, I've again stumbled into a complicated, badly explained and unclear paper from my prof about discreet and time-memoryless channels.

Although it might be just me, but when I don't understand something from one source I like to diversify, and papers from Polytechnique (in french) are always a good snack :

http://www.enseignement.polytechnique.fr/profs/informatique/Nicolas.Sendrier/TI/cours6.pdf comment on this story

Claude Shannon November 2013

Learning about Shannon's theorem in class I got curious and googled the guy.

One extract I found interesting in his wikipedia biography :

Shannon and his wife Betty also used to go on weekends to Las Vegas with M.I.T. mathematician Ed Thorp, and made very successful forays in blackjack using game theory type methods co-developed with fellow Bell Labs associate, physicist John L. Kelly Jr. based on principles of information theory. They made a fortune, as detailed in the book Fortune's Formula by William Poundstone and corroborated by the writings of Elwyn Berlekamp, Kelly's research assistant in 1960 and 1962. Shannon and Thorp also applied the same theory, later known as the Kelly criterion, to the stock market with even better results. Claude Shannon's card count techniques were explained in Bringing Down the House, the best-selling book published in 2003 about the MIT Blackjack Team by Ben Mezrich. In 2008, the book was adapted into a drama film titled 21.

Apart for inventing most of cryptography concepts, and doing chess IA, he also made a fortune from gambling and playing with stocks. Interesting.

comment on this story

bordeaux1 url November 2013

My portfolio/vitrine/online resume... call it what you want, which is available on davidwong.fr, is now available on david.wong.emi.u-bordeaux1.fr as well. I thought that was pretty cool to have a bordeaux1.fr url. I think I can also have a univ-lyon1.fr since my account is still active but I can't be bothered looking at where it is.

Anyway, just this small piece of news in the ocean of bitcoin/litecoin news I've been posting here. Exams are coming soon and I should blog more about them than cryptocoins but yeah...

comment on this story

To the moon November 2013

There we are, bitcoins reached the 1000$/btc bar. We are living history. The price of 1mBTC is 1$ now. I don't know what to think anymore. I've been following bitcoins since they were bellow 20$. Reading everything on /r/bitcoin and HN. I would never have imagined that. comment on this story

Bitecoin and Litecoin reach a new peak! November 2013

Bitcoin reached 877$/bitcoin today. I had 11 bitcoins that I bought for 450$ in total (40$/bitcoin) and which I lost trading and losing my wallet as well. I'm raging every time I think of the free holidays I could have paid myself with them.

But not all is lost, I have some litecoins and they just reached a peak of 14$ / litecoin. They're following bitcoins' rate closely and they're just waiting to become "mainstream" as well to boom.

Fingers crossed.

comment on this story

Satoshi's original paper on Bitcoin November 2013

8 pages of simple explanations

and a "explain me like I'm 5" post on http://www.reddit.com/r/Bitcoin/comments/1reu69/if_you_have_not_read_satoshi_nakamotos_original/cdmlnfd?context=1" target="_blank">reddit :

Bitcoin is a giant public ledger saying who sent what coins to whom. People have private keys, which they use to sign coin transfers. It's easy to verify signatures. That way only you can give away your coins. But that doesn't prevent you from giving the same coins to multiple people. For that we have the ledger, which puts all the transfers in a particular order that everyone agrees on so you can't pay someone with coins you already spent. Transactions are published on a p2p network. To put them in order, people take sets of transactions, add a random number, and make a cryptographic hash of the whole thing. (Feed data into a hash function and you get an unpredictable number.) If the hash is a low enough number it's a valid block and it becomes part of the blockchain. If it's too high, you change the random number and try again. The block also includes the hash of the previous block, so that puts everything in sequence. It takes a lot of tries to get a low-enough number, so only one block is published every ten minutes or so, by some random person who got lucky. This puts everything in order. It's expensive to do that, so when someone successfully generates a block, they get paid by a special bitcoin transaction that awards them some brand-new coins. That's mining.
comment on this story

Newegg trial: Crypto legend takes the stand, goes for knockout patent punch November 2013

"We've heard a good bit in this courtroom about public key encryption," said Albright. "Are you familiar with that?" "Yes, I am," said Diffie, in what surely qualified as the biggest understatement of the trial. "And how is it that you're familiar with public key encryption?" "I invented it."

A nice piece of journalism about how Diffie stood out in court to "knock out the Jones patent with "clear and convincing" evidence (which is the standard for invalidating a patent).".

Learning more about the guy who is behind the Diffie-Hellman">http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange">Diffie-Hellman handshake.

more info here comment on this story

Done! November 2013

So after a long night staying up and coding I finally handed in my project including my report in LaTeX.

I'm not really proud of what I did, I felt like I could have done much better if given more time (okay I slacked and I had enough time).

BUT, as I already said earlier, I've accomplished a lot and even though I'm done with this project I still kinda want to keep working on it.

Things that I've learned doing this class :

  • C is awful. But now I know the basics. I wish we had one more project to code in C to really get it though.
  • Makefile? Headers? I still don't really get the structure of a C project (and I'm ashamed).
  • I know Linux! Okay I don't know Linux that much, but I'm getting really causy there. I installed debian on a VM and I'm considering setting up a dual boot on my laptop now.
  • Emacs emacs! I was postponing learning it because I was afraid, and just forced myself to use it for this project and goshh am I fast when I use it. When I go back to Sublime Text I just want to C-M-F, C-A, C-K, C-Y...
  • LaTeX! As a Math major I've always been ashamed not knowing it. Now that I got a taste of it I'm wondering if I should use it to write my book on.
  • Svn and Git. I'm not a stranger anymore! And I use them for all my websites as well now :)

I think that's it, but I feel like I've learned a lot and I wished this course was a year thing rather than a semester thing.

The course is not over yet though and next week we'll dive into java for... a quick swim since it will be our last week.

comment on this story