Hey! I'm David, a security consultant at Cryptography Services, the crypto team of NCC Group . This is my blog about cryptography and security and other related topics that I find interesting.

# Bullrun

## posted November 2013

Bullrun or BULLRUN is a clandestine, highly classified decryption program run by the United States National Security Agency (NSA). The British signals intelligence agency Government Communications Headquarters (GCHQ) has a similar program codenamed Edgehill. According to the NSA's BULLRUN Classification Guide, which was published by The Guardian, BULLRUN is not a Sensitive Compartmented Information (SCI) control system or compartment, but the codeword has to be shown in the classification line, after all other classification and dissemination markings. Information about the program's existence was leaked in 2013 by Edward Snowden.

from https://en.wikipedia.org/wiki/Bullrun_%28decryption_program%29" target="_blank">wikipedia.

comment on this story

# Sudoku Solver

## posted November 2013

My Programmmation class first part is about coding a sudoku solver. We have to do everything in english, we have to commit with svn, we have to write a final report with LaTeX.

Every week we're given some vague guidelines and we have to dive deep into C to first, understand what we have to do, and secondly, find solutions in a language we've never really played with before. We have to turn in what we did every week, if our code doesn't compile it's a zero, if it does compile it goes through a multitude of tests that quickly decrease your grade (out of 20). Let's just say I spent many nights and early mornings coding and I started the first week with a 2/20.

It felt like a crash course, it felt unfair at times, but holy cow did I learn some C in a really short amount of time. Props to my professor for that, and I wish I had more courses like that. I might not get the best grade out of this course but I sure learn the most things there.

I've also committed everything I've done on a public git repo so everyone can see how it looks like here :

https://github.com/mimoo/sudoku

You can compile with make, learn how to use with ./sudoku -h

It can read sudokus of different sizes from 1x1 to 64x64 as long as it is presented like this :

#this is a comment

5 3 _ _ 7 _ _ _ _

6 _ _ 1 9 5 _ _ _

_ 9 8 _ _ _ _ 6 _

8 _ _ _ 6 _ _ _ 3

4 _ _ 8 _ 3 _ _ 1

7 _ _ _ 2 _ _ _ 6

_ 6 _ _ _ _ 2 8 _

_ _ _ 4 1 9 _ _ 5

_ _ _ _ 8 _ _ 7 9

# One more list

## posted November 2013

It's time for a new list of random things I noticed about Bordeaux :

• Many 2€ kebab places. Also, kebab here are made with a Lebanese bread, like a crepe, and not with the half of an Arabic bread like in Lyon.
• It's raining, A LOT. It's raining at least once a week, but usually way more than once a week.
• It's not that cold. I just came back from a week in Lyon and oh my god was it cold there, you can feel winter coming, but in Bordeaux ? Chill, you don't need that jacket.
• There are no Bordelais. Most people I run into come from other places in France. I actually only met one Bordelaise and it was during my first week here.
• The city is really not that big. In 30 minutes you feel like you've seen most of it.
• We have Velov' in Lyon, Velib' in Paris, here it's Vcub. Those free bikes you can rent pretty much anywhere.

# What is it like in Bordeaux?

## posted October 2013

So, I've been living here for a month and here is my list of what it is to live in Bordeaux.

• People say "chocolatine" instead of "pain au chocolat" and "poche" instead of "sac". It's kind of weird, especially when I have to say it, I'm always scared that they can tell I'm not from here, which is a stupid thing to be scared of, I had the same kind of feeling when I was living in Canada or China and didn't have the same accent as the locals, but it's weirder having that feeling in my own country.
• Streets are dirty, really dirty, you will always have to avoid dog poops when you go somewhere. Sidewalks are very small so you also always have to walk directly on the road.
• The city is pretty small. It's easy to get around. But when something is a bit far, it's annoying to get there since there is no subway.
• The public transportation system is horrendous, every morning I have to get squished by a thousand students taking the same tramway, most of the time I miss several trams because there are too many people inside, my personal record is seeing five tram passing without being able to enter them. Pretty annoying.
• Not so much accent here, but people say "gavé" a lot, it means "very". For example "c'était gavé bien hier soir".
comment on this story

# SecureDrop

## posted October 2013

SecureDrop is an open-source whistleblower support system, originally written by Aaron Swartz and now run by the Freedom of the Press Foundation. The first instance of this system was named StrongBox and is being run by the New Yorker. To further add to the naming confusion, Aaron Swartz called the system DeadDrop when he wrote the code.
from Schneier's blog

You can find http://deaddrop.github.io/" target="_blank">the website here and if you have something important to submit and do not want to go through Wikileaks, I think this is the best alternative.

The security audit was done by Schneier himself, who is pretty popular in the cryptography community, the work was started by Aaron Swartz who is also extremly popular, especially since his suicide last year.

comment on this story

# New effort to fully audit TrueCrypt raises \$16,000+ in a few short weeks

## posted October 2013

I just learned that TrueCrypt, the multi-OS solution to encrypt your personal data in a "very easy way" is coded and maintained by ... no one knows. Like bitcoin, the main creators are anonymous. http://www.truecrypt.org/downloads2" target="_blank">The source code is available here but no info about the coders can be found.

It seems like folks are getting a bit worried as TrueCrypt is wildly used, and money is being raised to conduct a security audit on them. http://arstechnica.com/security/2013/10/new-effort-to-fully-audit-truecrypt-raises-over-16000-in-a-few-short-weeks/" target="_blank">More info here.

Now I'm wondering, why is it that those huge cryptographic applications, that are polished and well maintained, are created by anonymous persons? Do they fear they would get pressure from governments? Mafia? Who knows...

comment on this story

# Baidu now accepts bitcoins!

## posted October 2013

It's official, http://www.baidu.com" target="_blank">Baidu, the chinese google, now accepts bitcoins.

"As a cutting-edge IT guy and a professional webmaster, what else can showcase our difference? The answer is that we have Bitcoin! Bitcoin, as a new electronic and digital currency, is being accepted internationally. It's also used in daily lives. You can use Bitcoin buy a cup of coffee, or easily convert it to cash. But in China, Bitcoin is still a fairly new thing. Today, we have a good news: from today, we are starting to officially accept Bitcoin as a payment method. You can use Bitcoin to buy all Baidu Jiasule services. Baidu Jiasule as an innovator in the Internet industry, is now the first cloud service provider to accept Bitcoin and give everyone a better payment method and experience."

The bitcoin who has been remarkably stable these past weeks, even after the silk road shutdown, has increased a bit more since the announcement.

comment on this story

# Elliptic Curve Cryptography (ECC)

## posted October 2013

a great video I bookmarked about ECC.

comment on this story

# Silk Road caught, Tor compromised?

## posted October 2013

Silk Road and its owner have just http://www.reuters.com/article/2013/10/02/crime-silkroad-raid-idUSL1N0HS12C20131002" target="_blank">got caught by the FBI. If you didn't know, silk road (an illegal drug market) was hosted on the Tor network as an onion website, which was suppose to grant him total anonymity. Apparently the catch was made from a stupid human mistake :

1) Located the first reference to "silk road" on the internet. You can find this yourself on Google: "silk road" site:shroomery.org Date range: Jan 1,2011 - Jan 31,2011 * 2) The same username, "altoid", showed up on a bitcointalk days later. 3) Later in 2011 "altoid" made a post on bitcointalk with his email address, containing his real name, in it: https://bitcointalk.org/index.php?topic=47811.msg568744#msg5... If you search the name on Google it doesn't show up, but if you look at the user's page you can see it in his posts.

But some are skeptical, and many seems to think it could have been http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity" target="_blank">the NSA getting into the Tor Network. What do you think?

comment on this story

# RSA-210 has been factored!

## posted October 2013

The https://en.wikipedia.org/wiki/RSA_Factoring_Challenge" target="_blank">RSA Factoring Challenge has had one of its entry factored : RSA-210. More info here.

The RSA Factoring Challenge was a challenge put forward by RSA Laboratories on March 18, 1991 to encourage research into computational number theory and the practical difficulty of factoring large integers and cracking RSA keys used in cryptography. They published a list of semiprimes (numbers with exactly two prime factors) known as the RSA numbers, with a cash prize for the successful factorization of some of them. The smallest of them, a 100 decimal digit number called RSA-100 was factored by April 1, 1991, but many of the bigger numbers have still not been factored and are expected to remain unfactored for quite some time.

The challenge is no longer active, this means no money for this brave Ryan P. And this doesn't mean RSA is less secure so no worries :)

comment on this story

# Dread Pirate Roberts response to Atlantis' shutdown

## posted September 2013

For someone like me who has some money invested in bitcoins and other cryptocoins (especially litecoin), seeing Atlantis rising (a drug market using litecoin as the main currency) was a very good news. Sadly they had to shutdown months after not doing so much for the https://btc-e.com/exchange/ltc_usd" target="_blank">LTC value.

comment on this story

# Start of the school year

## posted September 2013

time table imported to google cal thanks to hackjack's fabulous application
I have at the moment 5 classes which are all taught in french (I guess because there are not enough foreigners this year), but some of them use english for their slides.

### Programmation

Nothing really new to me, some people coming from the same bachelor as I (mathematics) have difficulties getting to know Linux and programming as a whole for the first time. I'm used to coding so I'm pretty confident (I shouldn't relax too much though). We started on a fast-course on C, GCC, Emacs, SVN... and will move on later with Java. It's taught by Emmanuel Fleury who is a very chill professor, good vibe, very easy to talk to. And the best part is that everything he talks about is online here so if you're interested in the course I'm taking you can have a look there. PS: we're learning a bit of LaTeX AND will have to submit final reports in LaTeX. This is great as I have sought a good occasion to learn it for a while. PS2: I'm using LearnXinYminutes.com to get back into C (haven't coded in C for more than 4 years). It's a great website and I recommend it to you if you want to learn something about any language and already have knowledge in programming.

### Théorie de l'information

Taught by the head of the Cryptology Master, Gilles Zemor, the course seems like an introduction to some of the concepts around Cryptography. Our first classes were about Entropy (which I talked about a bit in the previous post) and easy notions of probability. Here are the professor's notes about the course.

### Arithmétique

The only "real" Math course we have, and I'm a bit surprised since this is a "Mathematics" Master". It's essentially about rings, it's about stuff I already learned. Nothing really captivating at the moment.

### Automates et Complexité

This is one of the most intriguing course, people coming from an IT bachelor seem to have no problem with it. I don't really understand the point of learning this but I like it, it's a lot like Regular Expressions and is about logic more than learning concepts by heart. As a programmer it just seems like funny games to me :) (it might get more difficult very quickly). Note : it's taught by Anca Muscholl.

### Réseaux

The only course I had to choose, but we didn't have much choice since they removed half of the available courses including the one I wanted to take (Probability). The course is taught by... it's a rapid introduction about network concept. I'm not really into it, it speaks too briefly about many things, some are interesting, some are not. I was supposed to have an application class but apparently our professor fell asleep on his way (he's narcoleptic). Overall I was surprised by the absence of real "cryptology courses". But the professors told us they would come very quickly in the second semester, so nothing to worry about. comment on this story

# Moving to Bordeaux !

## posted September 2013

I successfully found a new place after less than two weeks of exhausting research. It's a pain looking for a place in Bordeaux, a real pain, and fortunately I'm french (I've seen lots of places that wouldn't take foreigners). But I found a place! After squatting at Amandine's place and at a very cool German guy I met here, I finally found my new home. It's a cozy place in St Michel, the Arab district, it's a very lively area only a few minutes away from the center. The city has been a wonderful experience to me, it's like a miniature Lyon. I'm just minutes away from the bars, from my friends, from the stores AND above all, I don't have to take the subway, which is the worse part of living in a city (or so I think). Classes have started as well but waking up at 8 am everyday is pretty hard (and next to impossible with all the people I'm meeting who want to party every nights). Fortunately, the campus is way cozier than the one of Lyon 1 (which I strongly disliked) and classes never exceed 2 hours (still not the 50 minutes classes of McMaster (Hamilton) but still better than the 3 hours classes of Lyon 1). It's just been two weeks but it feels like I've already spent an eternity here. It's kinda scary knowing that I'll never live again in Lyon, but it's exciting to know that I now have a new home, a new life. comment on this story

# Encryption is less secure than we thought

## posted August 2013

A group of researchers at MIT just http://www.mit.edu/newsoffice/2013/encryption-is-less-secure-than-we-thought-0814.html" target="_blank">released a paper reconsidering a common mathematical assumption in Cryptography. This means, as the title implies, than most encryption systems are less secure than we thought, but not to worry, nowhere is it written the word "insecure" and it might really be negligible.

The problem here seems to be the definition of Entropy used.

In computing, entropy is the randomness collected by an operating system or application for use in cryptography or other uses that require random data. This randomness is often collected from hardware sources, either pre-existing ones such as mouse movements or specially provided randomness generators. The Famous Wikipedia
In information theory, entropy is a measure of the uncertainty in a random variable.[1] In this context, the term usually refers to the Shannon entropy, which quantifies the expected value of the information contained in a message.[2] Entropy is typically measured in bits, nats, or bans.[3] Shannon entropy is the average unpredictability in a random variable, which is equivalent to its information content. Shannon entropy provides an absolute limit on the best possible lossless encoding or compression of any communication, assuming that[4] the communication may be represented as a sequence of independent and identically distributed random variables. The Famous Wikipedia
comment on this story