Hey! I'm David, a security consultant at Cryptography Services, the crypto team of NCC Group . This is my blog about cryptography and security and other related topics that I find interesting.

# How to deal with multiple passwords

## posted November 2014

I was reading some articles on the security blog of stackexchange. Ended up there reading articles/comments from Thomas Pornin who is one of the best answerer on stackoverflow.

I ran into this one intitled Is our entire password strategy flawed?

I wanted to bring my point of view on how to deal with multiple passwords. I don't necessarily do this because it's not practical but I'm trying more and more.

So if I were to be extremely paranoiac I would:

1. use a password manager like 1Password for websites you don’t really care.
3. use multi-factor authentification for critical websites.

I've never used 1Password but it seems to generate passwords on the fly when you need to sign up on a new website. It's pretty cool! But a problem arises when you need to login on some website when you're not using your computer. If you don't know the passwords it created then you will always be dependent of this password manager.

## 2. Memorise

A good idea would be to hash the name of the website + some salt only you know, and use it as a password. All of that in your head. That's what one of the famous Blum proposes. More here. He appeared to have invented a hash you could compute mentally.

## 3. Two-Factor Authentification

I really like the yubikey (and own one). It's literally a secret key. Every time I need to log into gmail from a cybercafe I wish I had it configured with my yubikey.

## Bonus

comment on this story

# Mathematical “urban legends”

## posted November 2014

a topic on the math version of stackoverflow, filled with funny stories, anecdotes, urban legends about mathematicians. If you're like me you're gonna love every bit of it.

http://mathoverflow.net/questions/53122/mathematical-urban-legends

Although David Hilbert was one of the first to deal seriously with infinite-dimensional complete inner product spaces, the practice of calling them after him was begun by others, supposedly without his knowledge. The story goes that one day a visitor came to Göttingen and gave a seminar about some theorem on "Hilbert spaces". At the end of the lecture, Hilbert raised his hand and asked, "What is a Hilbert space?"

When the logician Carnap was immigrating to the US, he had the usual consular interview, where one of the questions was (and still is, I think): "Would you favor the overthrow of the US government by violence, or force of arms?". He thought for a while, and responded: "I would have to say force of arms..."

comment on this story

# For Sale: 50,000 Bitcoins

## posted November 2014

Just a few weeks after Silk Road 2.0 and its owner got seized, the US government posted this:

THIS SEALED BID AUCTION IS FOR A PORTION OF THE BITCOINS CONTAINED IN WALLET FILES THAT RESIDED ON CERTAIN COMPUTER HARDWARE BELONGING TO ROSS WILLIAM ULBRICHT, THAT WERE SEIZED ON OR ABOUT OCTOBER 24, 2013 (“COMPUTER HARDWARE BITCOINS”).

Apparently it's from the first Silk Road. Pretty comical.

comment on this story

# SineRider: play with functions

## posted November 2014

Ever fiddled with your TI-8x or played LineRider? Well this guy combined both and it looks awesome!

the game is here: http://sineridergame.com/

comment on this story

## posted November 2014

Scott Aaronson found a 1994 issue of Cryptolog an internal newsletter at the NSA. He's quoting funny extracts from one of its article about a field trip at the 1992 Eurocrypt Conference.

Those of you who know my prejudice against the “zero-knowledge” wing of the philosophical camp will be surprised to hear that I enjoyed the three talks of the session better than any of that ilk that I had previously endured. The reason is simple: I took along some interesting reading material and ignored the speakers. That technique served to advantage again for three more snoozers, Thursday’s “digital signature and electronic cash” session, but the final session, also on complexity theory, provided some sensible listening.

more on his blog: http://www.scottaaronson.com/blog/?p=2059

comment on this story

# Hack Summit

## posted November 2014

The next Hack Summit will happen entirely online and will start on December the 1st.

An amazing line up of people will be giving talks: David Heinemeier Hansson (creator of Ruby on Rails), Tom Chi (creator of Google Glass), Hakon Wium Le (creator of CSS), Bram Cohen (creator of Bittorrent), Brian Fox (creator of Bash), Hampton Catlin (creator of Sass and Haml), and many more interesting persons and even....... Jon Skeet (#1 answerer on StackOverflow). This is gonna be huge!

comment on this story

# Defcon CTF 2009 write up comic

## posted November 2014

The Sapheads team draw a comic as a write up for the finale of the Defcon CTF in 2009. Since it's a classic here it is

comment on this story

# Bitcoin Romania

## posted November 2014

I was in Bucharest for two weeks and look what I ran into!

1 comment

# Hack of the Day: How do I run untrusted shell code?

## posted October 2014

I've run into a nice series of video called "hack of the day" from Vivek-Ramachandran.

In this first video he explains two techniques :

• jump-call-pop
• xor decoding

I also got nice tips like the examining string function in gdb : x/s \$ebx or the folder usr/include/asm that contains plenty of information about assembly.

The full playlist can be found on securitytube.net

comment on this story

# POODLE: new attack on SSL

## posted October 2014

A new attack on SSL 3.0 has been discovered. It's relevant because most browsers (except for Opera) allow a downgrade to SSL 3.0 if it cannot seem to use newer versions. Of course an attacker could disturb the connection and force someone to use SSL 3.0 in order to use the POODLE attack.

Full and clear explanation here

You might want a reminder of what is CBC to read it:

tl;dr: attack happens because of the way padding works in CBC in SSL 3.0

comment on this story

## posted October 2014

It's old but I just discovered it! And since it's not always fun to learn a new text editor, especially one like vim, here's a fun way to do just that!

comment on this story

## posted August 2014

An interesting read about how any usb device could be a potential threat. Some scary extracts:

Once reprogrammed, benign devices can turn malicious in many ways, including:

• A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
• The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.
• A modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.

And a scarier one...

No effective defenses from USB attacks are known.

Once infected, computers and their USB peripherals can never be trusted again.

Some proof of concept should be introduced in a week at the incoming Black Hat convention. This is gonna be good :)

EDIT:

There's actually something similar that you can already buy: The USB Rubber Duck

comment on this story

# 80s computer hacking: A Supercut

## posted July 2014

Pretty funny, and it's sad to see that it hasn't evolved much (besides some rare exceptions like 24 or The Social Network). For example that hacking scene in the last James Bond Skyfall. Never forget.

comment on this story