I stumbled on this funny job post from jeff jarmoc:
This thread will, no doubt, be dominated by posts with laundry lists of requirements. Many employers will introduce themselves by describing what they want from you. At Matasano, we're a little different. We like to start by telling you about us. This month, I want to try to do that by drawing analogy to Mission Impossible.
What made the original show so great is exactly what was lost in the 'Tom Cruise takes on the world' reboot. The original 1960's and 70's Mission Impossible was defined primarily by a team working together against all odds to achieve their objective. It acknowledged that what they were doing was improbable, and more so for a solo James Bond or Tom Cruise character. As a team though, each character an expert in their particular focus area, the incredible became credible -- the impossible, possible.
the rest is here: https://news.ycombinator.com/item?id=9127813
If you're up to date on crypto news you will tell me I'm slow. But here it is, my favorite explanation of the recent Freak Attack is the one from Matthew Green here
TLS uses a cipher suite during the handshake so that old machines can still chat with new machines that use new protocols. In this list of ciphers there is one called "export suite" that is a 512bits RSA public key. It was made by the government back then to spy on foreigners since 512bits is "easy" to factor.
The vulnerability comes from the fact that you can still ask a server to use that 512bits public key (even though it should have been removed a long time ago). This allows you to make a man in the middle attack where you don't have to possess a spoofed certificate. You can just change the cipher request of the client during the handshake so that he would ask for that 512bits key. 36% of the servers out there would accept that and reply with such a key. From here if we are in the middle we can just factor the key and use that to generate our own private key and see all the following exchange in clear.
More info here
someone asked on Quora: What can I learn/know right now in 10 minutes that will be useful for the rest of my life?
And someone delivered! It's called the peg method, and it allows you to remember words in the long term really quickly. I knew about other techniques like creating a story where each words is like a double linked list of event or using each words as obstacles in a mental path. But this one seems way more useful and practical. But contrary to the other techniques, you have to memorize a few things before being able to use it:
I know it's not cryptography :) but from the header:
This is my blog about cryptography and security and other related topics that I find interesting.
posted March 2015
KASUMI is a block cipher used in UMTS, GSM, and GPRS mobile communications systems. In UMTS, KASUMI is used in the confidentiality (f8) and integrity algorithms (f9) with names UEA1 and UIA1, respectively. In GSM, KASUMI is used in the A5/3 key stream generator and in GPRS in the GEA3 key stream generator.
(and Katsumi/Katsuni is a very famous french porn actress)
In 2004, Cory Doctorow wrote about Schneier's law:
...what I think of as Schneier's Law: "any person can invent a security system so clever that she or he can't think of how to break it."
It's pretty old but 4 years ago Schneier wrote a bit about the story behind it: check it out here.
AVG will reveal its new product: Invisibility glasses at pepcom barcelona.
It seems to be some kind of glasses you wear so that cameras and facial recognition softwares won't recognize you, it works by displaying lights that are only visible to cameras and not human eyes
A long time ago, I think around 2007, I got violently addicted to RSS. I was subscribed to hundreds of different blogs about design, tech, web... One new story would pop in my feed every 5 minutes. I had to read everything and I felt stressed all the time. Clicking, reading, clicking, reading... If I wasn't in front of my computer I felt like I was missing out. I then decided to remove my RSS reader software and never touched a feed again. And for the past years my browsing habits have mostly narrowed down to hackernews and a reddit without any default subs. But now that I am studying crypto, I wanted to get more immersed in this world and I had the idea of using my tendency to get addicted for a good purpose. So I tried the latest recommended RSS readers (since google reader doesn't exist anymore) and I subscribed to every crypto/security blog I could find and I started reading. And since, I've been reading a lot. So I guess it works! I've been using Digg Reader mostly because of the ios app that is really good and also because when I have nothing to read I can dig into what's on my twitter.
I have collected a list of 60 blogs about cryptography and security. If you feel like one is missing or one shouldn't be here please tell me! The list is here
Here's the list if you hate RSS:
A realy entertaining piece by Errata Security where Robert Graham ghetto reverse the current controversial superfish of Lenovo.
(if you have been living under a rock
The goal is to set the right break point before it actually infects your machine -- reversers have been known to infect themselves this way.
his ghetto way of reversing is first to infect himself with the "virus" and then using procdump to dump the process memory. Then dumping all the strings that the memory contains with the tool
strings and voila. You have have the private certificate in the clear.
But the private certificate is protected by a passphrase. But apparently not, it was just protected by a password contained in the memory in clear as well...
I advise you to read the article, it comes with screenshots and nice commands that use text processing tools:
grep "^[a-z]*$" super.txt | sort | uniq > super.dict
spoiler alert, the password to protect the certificate is komodia the name of the company who created this mitm adware.
Note that if they would have used an RSA whitebox this would not have happened... so quickly.