After messing around with this code for about a month I decided to write this up for the tubes in the hope that I can save some souls. I have come to the conclusion that OpenSSL is equivalent to monkeys throwing feces at the wall. It is, bar none, the worst library I have ever worked with. I can not believe that the internet is running on such a ridiculous complex and gratuitously stupid piece of code. Since circa 1998 the whole world has been trusting their secure communications to this impenetrable morass that calls itself the "OpenSSL" project. I bet that the doctors that work on that shitshow can not prescribe anything useful either!
worrying essay, read it here: https://www.peereboom.us/assl/assl/html/openssl.html
We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.
A pretty bad bug has been found in open SSL during the Codenomicon. more info here: http://heartbleed.com/
List of vulnerable websites from the Alexa top 10,000 websites: https://gist.github.com/dberkholz/10169691
You can test a website here: http://filippo.io/Heartbleed/
And also, if you have a lot of time to waste, this random dude seems to know a lot about it :D
A great article from AskAmathematician about true randomness.
The question is actually geared towards physicists and the tl;dr is: true randomness exists. Take that causality believers.
And as I expected, the experience to prove this is done with photons:
posted April 2014
I just gave a talk about bitcoins at my uni, here are the slides
Some people from Stanford are planning to build an anonymous market place. As Silk Road as shown, such a project can only fall with time unless it is decentralized. With all the new ideas and technologies coming into place (in protocols such as bitcoins, namecoins (for dns)), they are thinking of applying them for a decentralized market place as well.
More info here: https://mailman.stanford.edu/pipermail/liberationtech/2014-March/013304.html
And a new github repo to watch out for!
They say that this wireless security system might now be breached with relative ease by a malicious attack on a network. They suggest that it is now a matter of urgency that security experts and programmers work together to remove the vulnerabilities in WPA2
it is the de-authentication step in the wireless setup that represents a much more accessible entry point for an intruder with the appropriate hacking tools. As part of their purported security protocols routers using WPA2 must reconnect and re-authenticate devices periodically and share a new key each time.
In the meantime, users should continue to use the strongest encryption protocol available with the most complex password and to limit access to known devices via MAC address.
they allowed "file://" to be fetched from their servers when they should have restricted it to "http(s)://"
- they were using servers that were part of a network to do some private stuff, didn't filter those ips, people on the same network could perform those tasks.
The editor I'm using the most is Sublime Text 3. It's just super easy to use and super useful when you combine it with the right plugins and snippets.
But I love switching editors. I've used Frontpage, Dreamweaver, PHP Designer, Netbeans, Notepad++... and others I can't remember. I've recently tried the beta of Light Table and Brackets (that is truly amazing!), and I am eagerly waiting for Atom the open source IDE of github.
I also love spending time with Emacs. It's hard to master but I dig the "you don't need a mouse" aspect. One thing I found really annoying though is that most software use Vim by default. Wanting to master emacs, I didn't want to spend time learning Vim as well and I started tweaking the settings so that software X would use emacs by default. And that works well until... But then you run into some complications, for example I'm still trying to figure out how to do a git diff with emacs, or you run into a machine without emacs, and then it's either nano, which is shitty, or something else that is installed on the machine... and vim is (almost?) always installed by default.
So I decided to just learn Vim. And it was actually easier than it sounded and I feel like I'm going to avoid a lot of headaches now. Sometimes it's better to learn and adapt rather than try to use our own tools.
And if you're like me, you'll actually have a lot of fun learning vim :)
I run into a lot of great reads these days, so let me share one more with you,
Jean-Baptiste Quéru tries to explain how deep it goes when you just query google.com in your browser.
...At least for now.
This shows how unnecessary encrypting is sometimes. Some people like to encrypt and encrypt everything, and don't consider a solution "usable" if it not fully protected.
I'd argue that twitter has always been a very "public" and "exhibitionist" kind of websites where the private messages have never been a core feature (and it's actually not a really well done message system) and no user is obviously going to use it for "serious" matters. So why spend time encrypting it ?
Wife: You mean http like the beginning of what I type into the browser?
Ryan: Yeah. That first part tells the browser what protocol to use. That stuff you type in there is one of the most important breakthroughs in the history of computing.
I was very confused when I was introduced to signatures and macs because I thought they were just Hashes. I got to understand what it was and... it's actually super simple.
Here's a great explanation on the crypto stackexchange but here's mine:
- I have a huuuge message that I want to transfer to a friend. I'm scared some of the words would change during transit. Solution? I just hash it and send the hash with the message.
hash = Hash(message). A hash is pretty small (for example a md5 hash is 32 characters) so it's no trouble.
My friend then receives the message and the hash, he can
Hash(message) it and see if it gives him the same hash. If it doesn't then he knows that the message was changed and he can ask me for a new copy.
You can also call that an unkeyed hash, simply because it doesn't use a key. You just apply the algorithm to the message, no other arguments are given to the hash function.
- Okay now, We had some problems because some bad guy has sent numerous bad messages to my friends pretending he was me. I still want to hash my message but I also want to tell my friend it was me who wrote it.
So, like a symmetric cipher, I generate a key that I share with my friend. And I hash my message with that key
Hash = HMAC(key, message). My friend can now hash it with the same key when he receives the message and see that we have the same hash.
We just used a (symmetric) keyed hash or a HMAC (Hash-based message authentication code). Note that we could have used a MAC based on a Cipher as well (CMAC).
- So me and my friend have been writing many messages to a community of coders. We want to sign each messages with our name, but that's not enough, another bad guy is posting bad stuff signed with our names on different websites. So let's use a Hash that people can verify, like an asymmetric cipher, we generate both a secret key and a public key, we hash the message with our secret key and we post the message, the hash and the public key.
Hash = Sign(secret_key, message). People can then verifiy that Hash with the public key. Voila ! We just used a Signature or how I like to call them a asymmetric keyed hash. It allows for integrity of data, thanks to the hash, authentification of the authors, thanks to the secret key (this is a MAC), non-repudiation thanks to the public key (and now we have a signature).
So if you got it right, Hash < Mac < Signature. They're all useful and you should use the one relevant according to the context.
I'll just copypasta the table on the stackoverflow answer, because it's a real nice summary:
Cryptographic primitive | Hash | MAC | Digital
Security Goal | | | signature
Integrity | Yes | Yes | Yes
Authentication | No | Yes | Yes
Non-repudiation | No | No | Yes
Kind of keys | none | symmetric | asymmetric
| | keys | keys
I wanted something I could display on my TV continuously, I think I did a pretty good job.
I have two invites for the new IDE by github. I can't try it because I don't own a mac and there are no versions for windows at the moment (not even linux). Weird, but eh, if you own a mac and want an invite just ask me in the comments !
I won't link to the article because it's just a plain DOX and way too creepy for my blog, but the creator of bitcoin has been found.