david wong

Hey ! I'm David, a security consultant at Cryptography Services, the crypto team of NCC Group . This is my blog about cryptography and security and other related topics that I find interesting.

Bitcoin Exchanges Under ‘Massive and Concerted Attack’ February 2014

The transaction malleability problem which troubled Mtgox a few days ago has also made Bitstamp shutdown.

Apparently a large scale attack using this problem is going on on multiple exchanges.

Antonopoulos, who is the chief security officer of Blockchain.info, said a DDoS attack is taking Bitcoin’s transaction malleability problem and applying it to many transactions in the network, simultaneously.

The article on coindesk here

It's interesting to watch actually, submit a transaction to the network at the moment and there's a rogue node that will mess with the padding of the signatures and rebroadcast it faster than the original. It confuses the reference client into duplicate display, which is what Gox is relying on for the failed/success display. That they're winning races over the normal related transactions isn't that unnatural as the transaction processing stuff has a 100ms sleep() in the middle of it.

From the discussion over at HN

PS : apparemment l'erreur a été corrigé il y a un an sur le client bitcoin officiel ici

comment on this story

Mtgox statement and transaction malleability February 2014

Mtgox, which is frozen while it is trying to fix its problems, has issued a press released explaining what is the problem

Bitcoin transactions are subject to a design issue that has been largely ignored, while known to at least a part of the Bitcoin core developers and mentioned on the BitcoinTalk forums. This defect, known as "transaction malleability" makes it possible for a third party to alter the hash of any freshly issued transaction without invalidating the signature, hence resulting in a similar transaction under a different hash. Of course only one of the two transactions can be validated. However, if the party who altered the transaction is fast enough, for example with a direct connection to different mining pools, or has even a small amount of mining power, it can easily cause the transaction hash alteration to be committed to the blockchain.

thread on bitcointalk forum

comment on this story

Manually making a transaction in bitcoins February 2014

Ken Shirriff has posted an amazing post on his blog on how he managed to manually make (meaning, he didn't use the official bitcoin application) a transaction in the bitcoin ecosystem.

I'm reading through it as I'm typing this, and it's really well explained, you get to see exactly what he does in Python and there are pictures!

you can read it here

comment on this story

How I Lost My $50,000 Twitter Username January 2014

So this guy owned @N on twitter and got extorted his account by a phishing attack. The story is well written and you should read it here : https://medium.com/p/24eb09e026dd

but for a tl;dr the attacker called his paypal account to ask them for his credit card's last 4 digits. Then he called godaddy to ask them to reset the password. They only asked him for the 2 first digits and the last 4s. The attacker just had to guess the 2 first digits (and he did it on the first try, he could have kept calling and trying otherwise).

Now that he had @N's domain's name, he could now see his emails. Took over @N's facebook account and started mailing him "threats".

It's pretty crazy how easy phishing is.

comment on this story

Initial Permutations in DES January 2014

I have to code a whitebox using DES encryption in a class. Which is pretty cool (I would have prefered doing it with AES but the other group got tails and we got heads).

Here is where the Stanford course I passed on Coursera shines. The explanation of DES on it is brilliant. I was wondering about the initial and final permutations that occurs in the algorithm though and Dan Boneh doesn't really talk about it besides saying it's not for cryptographic purposes.

I found a solution on a new sub-stackoverflow dedicated to Cryptography : http://crypto.stackexchange.com/questions/3/what-are-the-benefits-of-the-two-permutation-tables-in-des

comment on this story

What is the best tool? December 2013

Constantly, when I start a new project, I try to look for better tools to do the job.

Lately I've been using CodeIgniter as a PHP MVC, jQuery as a javascript library, Bootstrap as a blueprint and TWIG as a template engine.

I've been noticing numerous people from the CodeIgniter community moving to Laravel, which seems to be pretty awesome. So I look at Laravel, and I think to myself "gosh this looks fun to learn, but I don't have time and I have a lot of projects in mind". And then as I read more and more about Laravel, I see people talking about how RoR is better. And then about how Django is better... This seems like a never ending search for a better technology.

I read somewhere that good coders code, great coders re-use. And more importantly, amazing coders ship. I have to ship code, I have to be productive, and I don't think I should be wasting too much time learning new technologies.

The difficult thing is to judge whether or not the time wasted in learning a new technology would be less than the time wasted coding with an outdated one.

So I want to learn, and I want to ship. And it's hard to do both.

comment on this story

Monty Hall visualization December 2013

monty hall

The Monty Hall problem is to me one of the most fascinating probability problem (for it's simpleness and unintuitive results) that got my mind blown since I learned about it in high school.

One day in high school, in my Math class, the teacher told us about that famous problem. Monty Hall was an old and popular TV show in the states were you had to choose a door to open from three different ones. Behind one of them was a car, behind the two others were goats. Obviously, the goal of the game was to win the car (except if you were really into goats, but then I guess you could have bought a lot of those with a car).

Anyway, the tricky part was that when you made a choice, the host asked you to wait before opening it and would open another door, revealing a goat. Then he would give you the opportunity to waive your initial choice and swap door one last time.

Here lies the probability problem. Do you think you would have more chance of winning if you changed your choice?

My math teacher said yes, and I could not believe that, I remember loudly objecting, telling the teacher it was not possible, that it was not logical. I declined what seemed grotesque at the time, I refused to acknowledge such an unintuitive result, such a simple thing, my brain could do the calculation easily so why would you tell me I was wrong on such a trivial thing.

But yes, I was wrong. I knew I was wrong. I was upset at my own mind. I didn't understand how I could be so convinced that changing choice wouldn't change my chances of winning the car. The problem was simple, so simple. And yet my mind couldn't make its way around it.

After many years of training my brain to think differently about probabilities, I can know see how this problem works. 7 years after my first introduction to this problem, I can now grasp a part of it. I understand it, I know the probabilities enrolled in the resolution of this problem, I've learned them at uni and I made the effort to think about that problem quite a lot during those last years. I actually often ask that problem to my friends, to blow their mind. But still, 7 years after being introduced to that problem, I still have troubles finding its probabilities "natural". My brain still cannot process the fact that it HAS to work that way, that the world is turning in that direction and no others.

I hope I didn't send you to sleep with this. If you want to know more about the mathematician who published this result and got insulted by numerous math PHD for being wrong, you can take a stroll on the wikipedia page.

My technique to wire my brain on the right path? Thinking about a hundred doors, 1 car, 99 goats. I open one door, the host closes 98 others. It feels easier to process when told this way, but there is still a part of me, somewhere, that tells me it wouldn't change a thing. Even with 98 doors opened. What is wrong with my brain?

If you still don't believe me, there is a short and visually clear explanation here.

PS: this is one of my go to when I want to be amazed at how unintuitive or how little we know about how things work. If you like that kind of thing, you can also check the twin paradox or the biography of Milton H. Erickson.

comment on this story