david wong

Hey! I'm David, a security engineer at the Blockchain team of Facebook, previously a security consultant for the Cryptography Services of NCC Group. I'm also the author of the Real World Cryptography book. This is my blog about cryptography and security and other related topics that I find interesting.

Quick access to articles on this page:

more on the next page...

Weblang posted April 2014

I've been writing html, xhtml, and now html5 for ages. I think I started in 2001 (13 years ago).

I had to go through <br> becoming <br /> becoming <br> again.

I had to go through different doctypes

I had to go through new divs like <header> and <footer>

But I never had to go through a syntax change. Why is that? I don't understand why HTML is a language based on tags. It is unnecessary and it just adds time and confusion to typing in html. I haven't ran into any project directed at changing that syntax. And I thought, why not doing it myself? (and if there is already such a project please tell me!)

So I thought about a new language to write static web pages called web or weblang. No tags. Indentation. Simple doctype.

A simple index.web would looks like that:

\web:1 // this is a doctype


$title: 'Weblang example';
$css: 'css/app.css';


$header .monheader{
    $h1 "Weblang";

$section #introduction{
    $h2 "What is Weblang?";
    $p "Weblang is an elegant way of writing static webpages"
    "HTML is annoying to write." // there will be a breakline here
        what about just writing text like this,
        it's kinda easier

// what about just writing text
This is a text block, it will just render as text
in this text I want a list here : $ul{
    $li "with text in it";

$ul .links{
        $a "more info" href: 'https://github.com/mimoo/weblang';
    $li $a{
        tags can be chained

$javascript 'js/jquery.js';
$script 'js/script.js' type: 'javascript';

This is just a first draft. The biggest problem is that plain text and code is mixed. The trick I used here is to use $ to tell the render engine that it is not plaintext. Might not be super clever. I need to brainstorm a bit more about this.

Also I need to look at sass' code to see how a compiler works. Seems to be a bunch of regex.


Berlekamp & GO posted April 2014

I knew that my principal cryptography professor Gilles Zémor was a GO player.

Which is pretty amazing in itself :)

But this keeps going on.

I have an algebra class this semester, and I'm trying to understand Berlekamp's algorithm. Trying to find videos on youtube about him I discover that he is as well a go player! And doing researches about the game at that! So cool :D

comment on this story

Ruby, Go, Rust posted April 2014

I've been planning to code my next web project with Ruby on Rails.

But two languages have also been catching my attention. Go and Rust.

And today, I ran into two wonderful websites:

Those websites are so pretty that it just makes me want to read them! Great complement to learnXinYminutes.

Now I just have to find a project to code with these languages =)

comment on this story

Using Google, Facebook (and others?) to DDoS any websites posted April 2014

chr13 has posted a nice finding on how to DDoS a website thanks to services like facebook and google.

It's actually pretty simple!

You just create notes with img tags, facebook will crawl the website to cache the picture.

In his example he writes a thousand img tags per notes, opens all the notes from several browsers.

<img src=http://targetname/file?r=1></img>
<img src=http://targetname/file?r=2></img>
<img src=http://targetname/file?r=1000></img>

Thousands of get request are sent to a single server in a couple of seconds. Total number of facebook servers accessing in parallel is 100+.

The funny thought of facebook DDoSing itself crossed my mind. Interestingly someone else's also and chr13 answered that he hadn't tried:

It’s against the bug bounty rules to do this, hence one has to be careful here. I was only using browsers at first just because of that.

comment on this story

Slides with LaTeX posted April 2014

If you read this blog, you know that recently I gave a talk on bitcoins.

I also gave a talk on whitebox cryptography last week.

One part of giving a talk that a lot of people tend to overlook is making good slides. I've always used Powerpoint for that, but for my last talk on whitebox cryptography I had two other persons on my team. Powerpoint was not an option if we were all working on the same file. LaTeX is the solution.

It's a real text file so you can use a revision control system like git, it's constant in its layout. You configure it at the beginning of the file and then you don't have to worry about it later.

We also had a fight (we were tired) on what theme to used. I went for no theme at all. Because everything else is visual noise.

Here's a great article from Zach Holman on the subject. If you ask me, and I'm not saying my slides are perfect, there are way too many crappy slides out there!

comment on this story

SSTIC 2014 posted April 2014

Symposium sur la sécurité des technologies de l'information et des communications is a 2 day con about security. Entrance is 260€ or 60€ if you're a student, still quite expensive, there seems to be a way of getting a free pass: analyzing a usb trace and extracting a mail from it.

Here's the trace.


here's a usb trace I got from plugging my brand new android to my personnal air-gapped computer.
I'm suspecting that a malware is on my phone. Could you check?

So where do I start...

comment on this story

Lundum Dare about to start posted April 2014

The Lundum Dare is starting in a bit less than 10 hours.

Ludum Dare is an Online Game Jam event where people from around the world create a game in a weekend.

You have 48 hours to produce something good! In what language? I used to watch notch do it in java, but apparently you can do it in whatever language you like.

To reach more participants, web entries are best (Flash, Unity, Flixel, Flashpunk, HTML, etc). They’re quick to start playing, and cross platform.

I need to get into Unity a lot more to get into that kind of contest. Every year I'm telling myself "next year I'll do the lundum dare"....

comment on this story