Hey! I'm David, the author of the Real-World Cryptography book. I'm a crypto engineer at O(1) Labs on the Mina cryptocurrency, previously I was the security lead for Diem (formerly Libra) at Novi (Facebook), and a security consultant for the Cryptography Services of NCC Group. This is my blog about cryptography and security and other related topics that I find interesting.

more on the next page...

# Bullrun posted November 2013

Bullrun or BULLRUN is a clandestine, highly classified decryption program run by the United States National Security Agency (NSA). The British signals intelligence agency Government Communications Headquarters (GCHQ) has a similar program codenamed Edgehill. According to the NSA's BULLRUN Classification Guide, which was published by The Guardian, BULLRUN is not a Sensitive Compartmented Information (SCI) control system or compartment, but the codeword has to be shown in the classification line, after all other classification and dissemination markings. Information about the program's existence was leaked in 2013 by Edward Snowden.

from https://en.wikipedia.org/wiki/Bullrun_%28decryption_program%29" target="_blank">wikipedia.

comment on this story

# Sudoku Solver posted November 2013

My Programmmation class first part is about coding a sudoku solver. We have to do everything in english, we have to commit with svn, we have to write a final report with LaTeX.

Every week we're given some vague guidelines and we have to dive deep into C to first, understand what we have to do, and secondly, find solutions in a language we've never really played with before. We have to turn in what we did every week, if our code doesn't compile it's a zero, if it does compile it goes through a multitude of tests that quickly decrease your grade (out of 20). Let's just say I spent many nights and early mornings coding and I started the first week with a 2/20.

It felt like a crash course, it felt unfair at times, but holy cow did I learn some C in a really short amount of time. Props to my professor for that, and I wish I had more courses like that. I might not get the best grade out of this course but I sure learn the most things there.

I've also committed everything I've done on a public git repo so everyone can see how it looks like here :

https://github.com/mimoo/sudoku

You can compile with make, learn how to use with ./sudoku -h

It can read sudokus of different sizes from 1x1 to 64x64 as long as it is presented like this :

#this is a comment

5 3 _ _ 7 _ _ _ _

6 _ _ 1 9 5 _ _ _

_ 9 8 _ _ _ _ 6 _

8 _ _ _ 6 _ _ _ 3

4 _ _ 8 _ 3 _ _ 1

7 _ _ _ 2 _ _ _ 6

_ 6 _ _ _ _ 2 8 _

_ _ _ 4 1 9 _ _ 5

_ _ _ _ 8 _ _ 7 9

# One more list posted November 2013

It's time for a new list of random things I noticed about Bordeaux :

• Many 2€ kebab places. Also, kebab here are made with a Lebanese bread, like a crepe, and not with the half of an Arabic bread like in Lyon.
• It's raining, A LOT. It's raining at least once a week, but usually way more than once a week.
• It's not that cold. I just came back from a week in Lyon and oh my god was it cold there, you can feel winter coming, but in Bordeaux ? Chill, you don't need that jacket.
• There are no Bordelais. Most people I run into come from other places in France. I actually only met one Bordelaise and it was during my first week here.
• The city is really not that big. In 30 minutes you feel like you've seen most of it.
• We have Velov' in Lyon, Velib' in Paris, here it's Vcub. Those free bikes you can rent pretty much anywhere.

# What is it like in Bordeaux? posted October 2013

So, I've been living here for a month and here is my list of what it is to live in Bordeaux.

• People say "chocolatine" instead of "pain au chocolat" and "poche" instead of "sac". It's kind of weird, especially when I have to say it, I'm always scared that they can tell I'm not from here, which is a stupid thing to be scared of, I had the same kind of feeling when I was living in Canada or China and didn't have the same accent as the locals, but it's weirder having that feeling in my own country.
• Streets are dirty, really dirty, you will always have to avoid dog poops when you go somewhere. Sidewalks are very small so you also always have to walk directly on the road.
• The city is pretty small. It's easy to get around. But when something is a bit far, it's annoying to get there since there is no subway.
• The public transportation system is horrendous, every morning I have to get squished by a thousand students taking the same tramway, most of the time I miss several trams because there are too many people inside, my personal record is seeing five tram passing without being able to enter them. Pretty annoying.
• Not so much accent here, but people say "gavé" a lot, it means "very". For example "c'était gavé bien hier soir".
comment on this story

# SecureDrop posted October 2013

SecureDrop is an open-source whistleblower support system, originally written by Aaron Swartz and now run by the Freedom of the Press Foundation. The first instance of this system was named StrongBox and is being run by the New Yorker. To further add to the naming confusion, Aaron Swartz called the system DeadDrop when he wrote the code.
from Schneier's blog

You can find http://deaddrop.github.io/" target="_blank">the website here and if you have something important to submit and do not want to go through Wikileaks, I think this is the best alternative.

The security audit was done by Schneier himself, who is pretty popular in the cryptography community, the work was started by Aaron Swartz who is also extremly popular, especially since his suicide last year.

comment on this story

# New effort to fully audit TrueCrypt raises \$16,000+ in a few short weeks posted October 2013

I just learned that TrueCrypt, the multi-OS solution to encrypt your personal data in a "very easy way" is coded and maintained by ... no one knows. Like bitcoin, the main creators are anonymous. http://www.truecrypt.org/downloads2" target="_blank">The source code is available here but no info about the coders can be found.

It seems like folks are getting a bit worried as TrueCrypt is wildly used, and money is being raised to conduct a security audit on them. http://arstechnica.com/security/2013/10/new-effort-to-fully-audit-truecrypt-raises-over-16000-in-a-few-short-weeks/" target="_blank">More info here.

Now I'm wondering, why is it that those huge cryptographic applications, that are polished and well maintained, are created by anonymous persons? Do they fear they would get pressure from governments? Mafia? Who knows...

comment on this story