I was reading some articles on the security blog of stackexchange. Ended up there reading articles/comments from Thomas Pornin who is one of the best answerer on stackoverflow.
I ran into this one intitled Is our entire password strategy flawed?
I wanted to bring my point of view on how to deal with multiple passwords. I don't necessarily do this because it's not practical but I'm trying more and more.
So if I were to be extremely paranoiac I would:
- use a password manager like 1Password for websites you don’t really care.
- use passwords you memorise for websites you care about.
- use multi-factor authentification for critical websites.
1. Password Manager
I've never used 1Password but it seems to generate passwords on the fly when you need to sign up on a new website. It's pretty cool! But a problem arises when you need to login on some website when you're not using your computer. If you don't know the passwords it created then you will always be dependent of this password manager.
A good idea would be to hash the name of the website + some salt only you know, and use it as a password. All of that in your head. That's what one of the famous Blum proposes. More here. He appeared to have invented a hash you could compute mentally.
3. Two-Factor Authentification
I really like the yubikey (and own one). It's literally a secret key. Every time I need to log into gmail from a cybercafe I wish I had it configured with my yubikey.
By the way, if you're scared there might be a keylogger but really have to enter some password you could prey on the fact that the keylogger is badly coded and, when entering your password, could move to another input field and write random words, then come back to the password input field and type some more letters of your password, etc.. .
Last year I also learned how to read dotsies (I completely forgot how to read it now though...) and I seldom switched all the fonts to dotsies so no one could look over my shoulder and read what I was reading/typing.
a topic on the math version of stackoverflow, filled with funny stories, anecdotes, urban legends about mathematicians. If you're like me you're gonna love every bit of it.
Although David Hilbert was one of the first to deal seriously with infinite-dimensional complete inner product spaces, the practice of calling them after him was begun by others, supposedly without his knowledge. The story goes that one day a visitor came to Göttingen and gave a seminar about some theorem on "Hilbert spaces". At the end of the lecture, Hilbert raised his hand and asked, "What is a Hilbert space?"
When the logician Carnap was immigrating to the US, he had the usual consular interview, where one of the questions was (and still is, I think): "Would you favor the overthrow of the US government by violence, or force of arms?". He thought for a while, and responded: "I would have to say force of arms..."
Just a few weeks after Silk Road 2.0 and its owner got seized, the US government posted this:
THIS SEALED BID AUCTION IS FOR A PORTION OF THE BITCOINS CONTAINED IN WALLET FILES THAT RESIDED ON CERTAIN COMPUTER HARDWARE BELONGING TO ROSS WILLIAM ULBRICHT, THAT WERE SEIZED ON OR ABOUT OCTOBER 24, 2013 (“COMPUTER HARDWARE BITCOINS”).
Apparently it's from the first Silk Road. Pretty comical.
Ever fiddled with your TI-8x or played LineRider? Well this guy combined both and it looks awesome!
the game is here: http://sineridergame.com/
Scott Aaronson found a 1994 issue of Cryptolog an internal newsletter at the NSA. He's quoting funny extracts from one of its article about a field trip at the 1992 Eurocrypt Conference.
Those of you who know my prejudice against the “zero-knowledge” wing of the philosophical camp will be surprised to hear that I enjoyed the three talks of the session better than any of that ilk that I had previously endured. The reason is simple: I took along some interesting reading material and ignored the speakers. That technique served to advantage again for three more snoozers, Thursday’s “digital signature and electronic cash” session, but the final session, also on complexity theory, provided some sensible listening.
more on his blog: http://www.scottaaronson.com/blog/?p=2059
The next Hack Summit will happen entirely online and will start on December the 1st.
You can get a free ticket by posting it on twitter/facebook.
An amazing line up of people will be giving talks: David Heinemeier Hansson (creator of Ruby on Rails), Tom Chi (creator of Google Glass), Hakon Wium Le (creator of CSS), Bram Cohen (creator of Bittorrent), Brian Fox (creator of Bash), Hampton Catlin (creator of Sass and Haml), and many more interesting persons and even....... Jon Skeet (#1 answerer on StackOverflow). This is gonna be huge!
The Sapheads team draw a comic as a write up for the finale of the Defcon CTF in 2009. Since it's a classic here it is
I was in Bucharest for two weeks and look what I ran into!
I've run into a nice series of video called "hack of the day" from Vivek-Ramachandran.
In this first video he explains two techniques :
- xor decoding
I also got nice tips like the examining string function in gdb :
x/s $ebx or the folder
usr/include/asm that contains plenty of information about assembly.
The full playlist can be found on securitytube.net
A new attack on SSL 3.0 has been discovered. It's relevant because most browsers (except for Opera) allow a downgrade to SSL 3.0 if it cannot seem to use newer versions. Of course an attacker could disturb the connection and force someone to use SSL 3.0 in order to use the POODLE attack.
Full and clear explanation here
You might want a reminder of what is CBC to read it:
tl;dr: attack happens because of the way padding works in CBC in SSL 3.0
It's old but I just discovered it! And since it's not always fun to learn a new text editor, especially one like vim, here's a fun way to do just that!
Ken Shirriff, still writing about bitcoin, has found a new hobby: mining bitcoin blocs with only a paper and a pen.
posted August 2014
An interesting read about how any usb device could be a potential threat. Some scary extracts:
Once reprogrammed, benign devices can turn malicious in many ways, including:
- A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
- The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.
- A modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.
And a scarier one...
No effective defenses from USB attacks are known.
Once infected, computers and their USB peripherals can never be trusted again.
Some proof of concept should be introduced in a week at the incoming Black Hat convention. This is gonna be good :)
There's actually something similar that you can already buy: The USB Rubber Duck
Pretty funny, and it's sad to see that it hasn't evolved much (besides some rare exceptions like 24 or The Social Network). For example that hacking scene in the last James Bond Skyfall. Never forget.
A nice and not too hard puzzle that could get you signed up for HackMIT, here's the write up: https://medium.com/hackmit-2014/joining-the-fancycat-club-hackmit-14-puzzle-guide-6f4ebef5b69