Quick access to articles on this page:
more on the next page...
Excellent finding from Adam Back.
If I understand the article correctly, when exporting encrypted content with Lotus-Notes, 24 bits of the 64 bits key would be encrypted under one of the NSA's public key and then appended to the encrypted content (I guess). This would allow NSA to decrypt those 24 bits of key with their corresponding private key and they would then have to brute force only 40 bits instead of 64 bits.
This shouldn't allow any bad attacker to get any advantage if they don't know the NSA's private key to decrypt those bits. And if they do acquire it, and they do decrypt 24bits of key, they would still have to have the computing power to brute force 40 bits of key. I have no idea what I'm talking about but I have the feeling the NSA might be the most powerful computing power when it comes to brute forcing ciphers.
$cur = 'plaintext'
$cur = md5($cur)
$salt = randbytes(20)
$cur = hmac_sha1($cur, $salt)
$cur = cryptoservice::hmac($cur)
[= hmac_sha256($cur, $secret)]
$cur = scrypt($cur, $salt)
$cur = hmac_sha256($cur, $salt)
the explanation is here
tl;dr: the md5 is here for legacy purpose, cryptoservice::hmac is to add a secret salt, scrypt (which is a kdf not a hash) is for slowing brute force attempts and the sha256 is here for shortening the output.
Amazing article on the verge about how the army created a song hiding a message ("19 people rescued. You’re next. Don’t lose hope") so that hostages of the FARC could hear it on the radio.
This is a genius idea for concealing a message! Not really crypto, but kinda cool none the less. I knew about Stenography and I also posted about transforming your message into spam as a way of hiding your message, but this is cool on a different level. Even the song is catchy ^_^
There was this disturbing video of a captive soldier in a North Vietnamese prison who when forced to do a fake interview, blinked the Morse Code 'T-O-R-T-U-R-E'.
Zokis wrote some tests on python, showing that a difference in declarations and simple syntax do have implications in the size of the program and the rapidity of execution.
For example writing
a, b = 0, 1 seems faster than doing
a = 0 then
b = 1
Using chained conditions like
a < b < 0 seems faster than doing
a < b and b < 0
etc... you can find all the tests here
The differences seem negligible though. dis and timeit were used to quantify the tests.
Also here are two useful python arguments:
python -c cmd : program passed in as string (terminates option list)
# python -c "print 'haha'"
-i : inspect interactively after running script; forces a prompt even
if stdin does not appear to be a terminal; also PYTHONINSPECT=x
# python -i -c "a = 5"
According to the US government, yes they did:
the FBI now has enough information to conclude that the North Korean government is responsible for these actions
What do security experts think about that?
Here's a piece from Marc Roger called No, North Korea Didn’t Hack Sony. So you can guess what the director of security operations for DEFCON and principal security researcher of Cloudflare is thinking.
What about Schneier? Read about it here
I worry that this case echoes the "we have evidence -- trust us" story that the Bush administration told in the run-up to the Iraq invasion. Identifying the origin of a cyberattack is very difficult, and when it is possible, the process of attributing responsibility can take months.
What about Robert Graham? his article's title is as usual pretty straight forward: The FBI's North Korea evidence is nonsense
So there is some kind of consensus that the FBI's announcement is abrupt and shady...
To dig further... Nicholas Weaver posted an interesting article. Kurt Baumgartner as well.
SECURITY DAY will take place at the University of Lille 1, in France, on January 16th. People from Quarkslab (where I almost did my internship), ANSSI, Microsoft, ... will give talks. There is even one of my classmate Jonathan Salwan.
I'm trying to find a way to get there, so if you want to buy me a beer this might be the right place :D
As requested, I added a rss feed to this blog. It's available here in markdown, and here in html, choose whichever suits you best.
posted December 2014
I like how people make an extreme effort to create "sure" source of random numbers.
OneRNG has released a new usb source. Everything is opensource (open hardware, open software), you can even create your own by following instructions on their websites.
OneRNG collects entropy from an avalanche diode circuit, and from a channel-hopping RF receiver. It even has a “tinfoil hat” to prevent RF interference — you can remove the hat in order to visually verify the components being used.
Now I'm wondering who is using that and for what