david wong

Hey ! I'm David, a security consultant at Cryptography Services, the crypto team of NCC Group . This is my blog about cryptography and security and other related topics that I find interesting.

Cameron Winklevoss AMA on Reddit December 2013

winklevoss

There's an AMA on reddit right now from one of the Winklevoss brother. If you never heard of them, they were the one who originally came up with the idea of facebook but got it stolen after trying to hire Zuckerberg to code it. They're pretty famous in the bitcoin community for having bought 11million $ of bitcoins before April's big crash. The wonderful thing is, they hold on to their bitcoin during the crash. They must be very clever people because they're now, richer than ever.

Some of the interesting stuff from that AMA :

Have he sold any bitcoin?

I have yet to sell a single bitcoin.

What's the future of bitcoins?

small bull case scenario for Bitcoin is a 400 billion USD dollar market cap, so 40,000 USD a coin, but I believe it could be much larger. When this will happen, if it happens, I don't know, but if it happens, it will probably happen much faster than anyone imagines.

How did he learn about bitcoins?

Partying on a beach in Ibiza, where else?

Other altcoins?

I have not invested in any altcoins because I don't believe that any of the "problems" or issues that they address can't be addressed by Bitcoin itself.

There is a dog coin that seems to be a big joke : www.dogecoin.org

░░░░░░░░░▄░░░░░░░░░░░░░░▄░░░░ ░░░░░░░░▌▒█░░░░░░░░░░░▄▀▒▌░░░ ░░░░░░░░▌▒▒█░░░░░░░░▄▀▒▒▒▐░░░ ░░░░░░░▐▄▀▒▒▀▀▀▀▄▄▄▀▒▒▒▒▒▐░░░ ░░░░░▄▄▀▒░▒▒▒▒▒▒▒▒▒█▒▒▄█▒▐░░░ ░░░▄▀▒▒▒░░░▒▒▒░░░▒▒▒▀██▀▒▌░░░ ░░▐▒▒▒▄▄▒▒▒▒░░░▒▒▒▒▒▒▒▀▄▒▒▌░░ ░░▌░░▌█▀▒▒▒▒▒▄▀█▄▒▒▒▒▒▒▒█▒▐░░ ░▐░░░▒▒▒▒▒▒▒▒▌██▀▒▒░░░▒▒▒▀▄▌░ ░▌░▒▄██▄▒▒▒▒▒▒▒▒▒░░░░░░▒▒▒▒▌░ ▀▒▀▐▄█▄█▌▄░▀▒▒░░░░░░░░░░▒▒▒▐░ ▐▒▒▐▀▐▀▒░▄▄▒▄▒▒▒▒▒▒░▒░▒░▒▒▒▒▌ ▐▒▒▒▀▀▄▄▒▒▒▄▒▒▒▒▒▒▒▒░▒░▒░▒▒▐░ ░▌▒▒▒▒▒▒▀▀▀▒▒▒▒▒▒░▒░▒░▒░▒▒▒▌░ ░▐▒▒▒▒▒▒▒▒▒▒▒▒▒▒░▒░▒░▒▒▄▒▒▐░░ ░░▀▄▒▒▒▒▒▒▒▒▒▒▒░▒░▒░▒▄▒▒▒▒▌░░ ░░░░▀▄▒▒▒▒▒▒▒▒▒▒▄▄▄▀▒▒▒▒▄▀░░░ ░░░░░░▀▄▄▄▄▄▄▀▀▀▒▒▒▒▒▄▄▀░░░░░ ░░░░░░░░░▒▒▒▒▒▒▒▒▒▒▀▀░░░░░░░░

comment on this story

Reed-Solomon December 2013

picture of a cd

The last things we studied in Arithmetic are the Reed-Solomon codes. It's a type of code you use to, not encrypt your information, but create redundant information in your final code. So when you read your code, if there are errors or missing parts, you can still decode it. It's not perfectly redundant like dog's ADN is. The redundant code is changed in a certain way so you can guess what the missing parts are.

A few days ago I was on the road to La Fête des Lumières (in Lyon) with 4 germans I met in Bordeaux. The driver had an old CD with a few mainstream and german songs on it that he wanted to play, problem, the CD was damaged, solution? None. Didn't need a solution. The CD still played, although sometimes it was indeed jumping, most of the time it was playing correctly. How is that?

Well, the information burned on the CD is coded thanks to Reed-Solomon's algorithm so that you can still guess what was burned on it through particular redundant code. This redundant code is (and I'm taking a guess here) what is used when your computer asks you "do you want to check if there was no error?" right after burning your CD.

more info on wikipedia

comment on this story

NP Complexity December 2013

Ahhhh, what is P, NP, NP-Complete and NP-hard. Found this quick explanation. Still reading on the subject. I feel like It might take me a lot of time until I can be able to explain that easily to someone who has no idea what it is.
true mastery of a subject is achieved when you can explain it simply
Here's a stackoverflow pretty simple explanation
A decision problem is in P if there is a known polynomial-time algorithm to get that answer. A decision problem is in NP if there is a known polynomial-time algorithm for a non-deterministic machine to get the answer.
comment on this story

I've been interviewed by Direct Matin Bordeaux December 2013

Today I was interviewed by Emeline Marceau from Direct Martin Bordeaux, a free newspaper that is directly competing against 20 minutes in France.

I already had my first interview with Vincent Glad from Slate (and now Canal+) 3 years ago. But this is different as it should be printed in a real newspaper with a picture of me. Well nothing is sure yet, crossing fingers.

comment on this story

Storing plain passwords in cookies December 2013

I've always stored plain passwords in cookies. And today I decided to educate myself about cookies a bit. Well, I was expecting that : you should not store plain passwords in cookies.

Basically, if your computer gets compromised, everyone can read what's in your cookies. So you'd better not store important information that are not encrypted.

What is the work around ? Storing a token + his identification. When someone logs in, I create a random token and store it in the database under its name.

Next time the guy comes around, I see that he has a token, I check if its identification coincides with the token, if it does I log the guy in.

I've seen hardcore implementations where the token (in the database, and in the guy's cookies) is refreshed on every page. I find that a bit troublesome as the cookie expires after 5 days (in my implementation) so it's no big risks.

I could also have put a timestamp forbidding anyone to log in with that token after 5 days. But I feel like it would be over protecting.

comment on this story

塞翁失马 December 2013

ran into that fable, made me think of bitcoins and litecoins.

A farmer had only one horse. One day, his horse ran away. All the neighbors came by saying, “I'm so sorry. This is such bad news. You must be so upset.” The man just said, “We'll see.” A few days later, his horse came back with twenty wild horses following. The man and his son corraled all 21 horses. All the neighbors came by saying, “Congratulations! This is such good news. You must be so happy!” The man just said, “We'll see.” One of the wild horses kicked the man's only son, breaking both his legs. All the neighbors came by saying, “I'm so sorry. This is such bad news. You must be so upset.” The man just said, “We'll see.” The country went to war, and every able-bodied young man was drafted to fight. The war was terrible and killed every young man, but the farmer's son was spared, since his broken legs prevented him from being drafted. All the neighbors came by saying, “Congratulations! This is such good news. You must be so happy!” The man just said, “We'll see.”
comment on this story

Someone Bought A Tesla Using Bitcoin December 2013

Here it is, Lamborghini is now accepting bitcoins and the first purchase was made for a Tesla.

"Lamborghini Newport Beach is proud to announce that we are fully capable of accepting Bitcoin as legal tender for vehicles, We are excited to be opening the door to this new currency."
more info here comment on this story

Have you been pwned? December 2013

HaveIbeenPwned.com is a new website allowing you to check if your mail + password has been leak by some of those famous data breach. It's pretty bad, mine is compromised. Fortunately I use different passwords for different kind of websites. I use a garbage password for websites I don't trust, I use an easy and quick password to type for websites I don't care about, I use complicated password for more important things like my server, my steam account, my gmail account, my facebook account etc... and I regularly change them. comment on this story

What are litecoins? December 2013

WhatAreLitecoins.com is a new website that's looking to get litcoins to the public. The site looks really nice and it makes me want to do something about bitcoins. I think my next project will be a litecoin chart. I wish I had the qualifications to do a litecoin market but security wise and technically wise it seems really difficult at my level. comment on this story

Sheep Market Place creator revealed? December 2013

Apparently things are going pretty bad for one of Silk Road's replacement : http://www.reddit.com/r/SheepMarketplace/comments/1ru2kw/sheep_is_down_admin_blames_user_ebook101_for_scam/" target="_blank">Sheep Market place is scamming its users.

Also, the creator might have been found. I'm not a big fan of posting personal info so I'll just post this http://pastebin.com/raw.php?i=9spTATw6" target="_blank">message

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2 November 2013, I was contacted on IRC by a pseudonymous chatter, "an anonymous security hobbyist". He said he had some information for me if I would swear to keep it secret. I agreed as long as it didn't involve violence like hitmen. He had been impressed by [my bet against Sheep & BMR](http://www.reddit.com/r/SilkRoad/comments/1pko9y/the_bet_bmr_and_sheep_to_die_in_a_year/) and agreed with me that the official Sheep story about `sheepmarketplace.com` was too stupid for words, and wanted to share the info with me. He then told me he had just finished researching Sheep Marketplace and was highly confident that the operator was a Czech programmer by the name of "Tomáš Ji?ikovský", and further, earlier that day he had mailed off his results to the FBI. (He also claimed credit for the BMR & PBF leaks.) After reading through his results, checking some of the links to see if they were as described, agreeing with him that Tomas matches the profile for the Sheep operator uncannily well, and reflecting how stupid I was to not look harder at sheepmarketplace.com because as soon as you see the forum posts where Tomas complains about the problems of running a Bitcoin-using hidden service it's completely obvious that Tomas=Sheep, I suggested he contact Tomas. He declined, saying he didn't want to spook Tomas (he is not a big fan of drugs), although he agreed I could release the results within 7 months. The most I managed to get out of him was permission to [post a cryptographic hash precommitment](http://www.reddit.com/r/SilkRoad/comments/1ptd6b/precommitment_proof_of_knowledge_about_a/): $ echo 'Sheep Marketplace was founded and run by Tomáš Ji?ikovský (random nonce: 19093)' | sha512sum 43a4c3b7d0a0654e1919ad6e7cbfa6f8d41bcce8f1320fbe511b6d7c38609ce5a2d39328e02e9777b339152987ea02b3f8adb57d84377fa7ccb708658b7d2edc - I was as precise as I could be at the time; saying it was a precommitment to Tomas's identity would have clearly breached the agreement. Anyway, I took his notes, made copies of all the webpages linked in, and prepared a single compilation in MAFF format: https://dl.dropboxusercontent.com/u/182368464/2013-11-03-sheepmarketplace-doxxing.maff The basic overview of the findings: 1. Tomas owns the hosting service for the sheepmarketplace.com VPS server. There were very few domains hosted there as well, and he controlled several of them. 2. The site itself seemed to be very closely connected to SMP, using the same basic technologies and possibly a non-public API 3. The official excuse does not wash as sheepmarketplace.com was set up not long after SMP itself 4. Tomas is the earliest known promoter of SMP (1 February 2013), and recommened SMP & BMR over Silk Road (11 April 2013) 5. Tomas is a C++ QT Nette Framework Czech developer who runs Ubuntu, exactly like the SMP developer 6. Tomas has complained about the memory demand of `bitcoind` on a VPS server, and discussed the difficulties of functionality like email from hidden services 7. Tomas or his girlfriend are active users of Tor, as evidenced by screenshots of their computer 8. it's not clear what Tomas's current job is 9. but it is clear that as of October, he was working on an e-commerce site which was having problems with buggy accounting of deposits 10. Tomas posted a .htaccess file which has the same (buggy) functionality as that of SMP 11. He is an accused Bitcoin scammer A few of these could be explained as coincidence. But all of them? At this point, I would rate Tomas as >75% likely to be involved with SMP in some fashion. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iEYEAREKAAYFAlKaXN8ACgkQvpDo5Pfl1oJ+HwCgnQmvBZFTHkzDEHzayEmrTnjB d+oAnjK0a0UFDwg+wAvkDxsjer6w8rXl =tYBY -----END PGP SIGNATURE-----/

poster is http://www.gwern.net/" target="_blank">gwern, http://www.reddit.com/r/SilkRoad/comments/1ptd6b/precommitment_proof_of_knowledge_about_a/" target="_blank">more info on reddit.

comment on this story

Canal discret sans mémoire November 2013

In my quest to better support to learn, I've again stumbled into a complicated, badly explained and unclear paper from my prof about discreet and time-memoryless channels.

Although it might be just me, but when I don't understand something from one source I like to diversify, and papers from Polytechnique (in french) are always a good snack :

http://www.enseignement.polytechnique.fr/profs/informatique/Nicolas.Sendrier/TI/cours6.pdf comment on this story