Hanno Böck: Some tales from TLS posted April 2015

Hanno Böck, the guy who just found Heartbleed with a fuzzer also gave a really interesting talk at EasterHegg a few weeks ago:

How would you detect an Evil Twin attack, especially in a new environment? posted April 2015

An interesting question on security.stackexchange

If two wifi have the same name, and you know one is there for a man in the middle attack, then how can you guess which one it is?

There are a lot of interesting answers, like triangulating the signal to see which one is your modem, or checking the MAC address...

encryption with a one letter XOR? Really? posted April 2015

So there is this app that encrypts your data on your mobile, in case it ends up in the wrong hands. Sounds good. And then there is this guy who took a look at it and figured out the data was just XORed with a 128bit keys consisting of only 4s. If the data is longer than 128bits? Let's not encrypt it!

I don't know how legit it is, especially considering how easy it is to just write aes(something) but here you go

Unix command of the day: Tee posted April 2015

The tee command allow you to write to a file and still display the result in output.

For exemple

ls

display the content of the current folder in stdout (the terminal)

ls > file.txt

saves that in a file file.txt

ls | tee file.txt

saves that in a file file.txt and displays in stdout at the same time

Truecrypt report posted April 2015

Some news about the Truecrypt open audit: the report is out.

The TL;DR is that based on this audit, Truecrypt appears to be a relatively well-designed piece of crypto software. The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.

Enough with salts? posted April 2015

An update on an old post from 2007 entitled Enough With the Rainbow Tables: What You Need to Know About Secure Password Schemes from Thomas Ptacek. This time from Jeff Jarmoc: Enough With the Salts: Updates on Secure Password Schemes

Breaking beer ciphers posted April 2015

Apparently a beer was made with a cipher on it, and that is the story of one dude breaking it.

It reminds me a bit of the anssi logo challenge (in french).

Thx to my coworker Vitaly for the link!

I'm officialy an intern at Cryptography Services posted April 2015

I haven't been posting for a while, and this is because I was busy looking for a place in Chicago. I finally found it! And I just accomplished my first day at Cryptography Services, or rather at Matasano since I'm in their office, or rather at NCC Group since everything must be complicated :D

I arrived and received a bag of swags along with a brand new macbook pro! That's awesome except for the fact that I spent way too much time trying to understand how to properly use it. A few things I've discovered:

• you can pipe to pbcopy and use pbpaste to play with the clipboard
• open . in the console opens the current directory in Finder (on windows with cygwin I use explorer .)
• in the terminal preference: check "use option as meta key" to have all the unix shortcuts in the terminal (alt+b, ctrl+a, etc...)
• get homebrew to install all the things

I don't know what I'll be blogging about next, because I can't really disclose the work I'll be doing there. But so far the people have been really nice and welcoming, the projects seem to be amazingly interesting (and yeah, I will be working on OpenSSL!! (the audit is public so that I can say :D)). The city is also amazing and I've been really impressed by the food. Every place, every dish and every bite has been a delight :)