david wong

Hey! I'm David, a security consultant at Cryptography Services, the crypto team of NCC Group . This is my blog about cryptography and security and other related topics that I find interesting.

Brackets

posted April 2014

I recently advised a colleague to try Brackets since he's learning html, css, etc...

But I've never really used it myself for a project. I've tried it, found it really cool, but never had a chance to start a project with it yet. As I was trying to convince my colleague to give it a try I ran into this cool video from Jeffrey Way the guy who made Tutsplus (and the amazing sublime text tutorial) Check it out!

comment on this story

Fast Fourier Transform

posted April 2014

So, I've learned about Fourier every year in my bachelor of Mathematics and I'm learning about the efficient algorithm dealing with the Fourier Transform in my class of Algebra right now.

I found a really nice video explaining really quick what it is, concretely.

Here's wikipedia way of showing that fourier made by LucasVB, this crazy guy doing all those math gifs you've probably seen before :) more here

There's also a visualization in d3.js here: http://bl.ocks.org/jinroh/7524988

comment on this story

Long polling and webhooks

posted April 2014

I remember reading about how the newly facebook chat was made using long pollings, years ago. Now with HTML5 with have sockets and webhooks made easy. I wonder if they're still using long polling now...

Anyway, Zapier. A start up that is making APIs easy, is writing a lot of interesting tutorials these last few months. Their new Chapter 7 was released and it's about polling and web hooks. And as usual it's great!

https://zapier.com/learn/apis/chapter-7-real-time-communication

comment on this story

OpenSSL is written by monkeys

posted April 2014

After messing around with this code for about a month I decided to write this up for the tubes in the hope that I can save some souls. I have come to the conclusion that OpenSSL is equivalent to monkeys throwing feces at the wall. It is, bar none, the worst library I have ever worked with. I can not believe that the internet is running on such a ridiculous complex and gratuitously stupid piece of code. Since circa 1998 the whole world has been trusting their secure communications to this impenetrable morass that calls itself the "OpenSSL" project. I bet that the doctors that work on that shitshow can not prescribe anything useful either!

worrying essay, read it here: https://www.peereboom.us/assl/assl/html/openssl.html

comment on this story

Heartbleed : serious vulnerability in open SSL

posted April 2014

We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

A pretty bad bug has been found in open SSL during the Codenomicon. more info here: http://heartbleed.com/

List of vulnerable websites from the Alexa top 10,000 websites: https://gist.github.com/dberkholz/10169691

You can test a website here: http://filippo.io/Heartbleed/

And also, if you have a lot of time to waste, this random dude seems to know a lot about it :D

comment on this story

Decentralized Market Place

posted March 2014

Some people from Stanford are planning to build an anonymous market place. As Silk Road as shown, such a project can only fall with time unless it is decentralized. With all the new ideas and technologies coming into place (in protocols such as bitcoins, namecoins (for dns)), they are thinking of applying them for a decentralized market place as well.

More info here: https://mailman.stanford.edu/pipermail/liberationtech/2014-March/013304.html

And a new github repo to watch out for!

https://github.com/goshakkk/decentralized-anonymous-marketplace-concept

comment on this story

WPA2 cracked ?

posted March 2014

They say that this wireless security system might now be breached with relative ease by a malicious attack on a network. They suggest that it is now a matter of urgency that security experts and programmers work together to remove the vulnerabilities in WPA2

it is the de-authentication step in the wireless setup that represents a much more accessible entry point for an intruder with the appropriate hacking tools. As part of their purported security protocols routers using WPA2 must reconnect and re-authenticate devices periodically and share a new key each time.

In the meantime, users should continue to use the strongest encryption protocol available with the most complex password and to limit access to known devices via MAC address.

http://sciencespot.co.uk/wpa2-wireless-security-cracked.html

comment on this story

Just learn Vim

posted March 2014

The editor I'm using the most is Sublime Text 3. It's just super easy to use and super useful when you combine it with the right plugins and snippets.

But I love switching editors. I've used Frontpage, Dreamweaver, PHP Designer, Netbeans, Notepad++... and others I can't remember. I've recently tried the beta of Light Table and Brackets (that is truly amazing!), and I am eagerly waiting for Atom the open source IDE of github.

I also love spending time with Emacs. It's hard to master but I dig the "you don't need a mouse" aspect. One thing I found really annoying though is that most software use Vim by default. Wanting to master emacs, I didn't want to spend time learning Vim as well and I started tweaking the settings so that software X would use emacs by default. And that works well until... But then you run into some complications, for example I'm still trying to figure out how to do a git diff with emacs, or you run into a machine without emacs, and then it's either nano, which is shitty, or something else that is installed on the machine... and vim is (almost?) always installed by default.

So I decided to just learn Vim. And it was actually easier than it sounded and I feel like I'm going to avoid a lot of headaches now. Sometimes it's better to learn and adapt rather than try to use our own tools.

And if you're like me, you'll actually have a lot of fun learning vim :)

comment on this story

Twitter is giving up on encrypting direct messages...

posted March 2014

...At least for now.

This shows how unnecessary encrypting is sometimes. Some people like to encrypt and encrypt everything, and don't consider a solution "usable" if it not fully protected.

I'd argue that twitter has always been a very "public" and "exhibitionist" kind of websites where the private messages have never been a core feature (and it's actually not a really well done message system) and no user is obviously going to use it for "serious" matters. So why spend time encrypting it ?

http://www.theverge.com/2014/3/19/5523656/twitter-gives-up-on-encrypting-direct-messages-at-least-for-now

comment on this story