I've always disliked paypal but after watching that video I have a new image of Elon Musk. The guy is pretty humble, clever and knows how to explain an idea. The opposite of a Linus Torvald.
What's also really amazing to me is how diversified his vocabulary is. Here are some words I learned thanks to this video:
If you're a college student in the US today might be your lucky day. Coinbase is offering 10$ in bitcoin to students from some american universities. I guess if yours is not accepted you can ask them directly.
To support bitcoin awareness among college students, today we are announcing a bitcoin giveaway: we are gifting $10 worth of bitcoin to students who create a new Coinbase account using their .edu email address.
Here you go
Time to celebrate!
and thanks r/dogecoin for tipping me!
If you want some of my dogecoins just comment :D
I've always wondered how it is that we can't easily copy the entire content of a CD/DVD/Bluray on another one and play it with a PS1/PS2/PS3 and I guess PS4 and its competition.
Here's part of an answer on psx-scene's forum:
Whenever you insert a disc (bluray one that is) the ps3 drive will look at a special area of the disc called the Pic Zone (the BD ROM Mark is actually used in movie discs but not in game unlike what I first thought).This area cannot easily be dumped (you'd pretty much need a bluray drive with a hacked firmware) and of course that specific area cannot be burned on any kind of discs or with any kind of burners commercially available.
reading this made me apply to Sony for an internship :)
chr13 has posted a nice finding on how to DDoS a website thanks to services like facebook and google.
It's actually pretty simple!
You just create notes with
img tags, facebook will crawl the website to cache the picture.
In his example he writes a thousand img tags per notes, opens all the notes from several browsers.
Thousands of get request are sent to a single server in a couple of seconds. Total number of facebook servers accessing in parallel is 100+.
The funny thought of facebook DDoSing itself crossed my mind. Interestingly someone else's also and chr13 answered that he hadn't tried:
It’s against the bug bounty rules to do this, hence one has to be careful here. I was only using browsers at first just because of that.
Symposium sur la sécurité des technologies de l'information et des communications is a 2 day con about security. Entrance is 260€ or 60€ if you're a student, still quite expensive, there seems to be a way of getting a free pass: analyzing a usb trace and extracting a mail from it.
Here's the trace.
here's a usb trace I got from plugging my brand new android to my personnal air-gapped computer.
I'm suspecting that a malware is on my phone. Could you check?
So where do I start...
The Lundum Dare is starting in a bit less than 10 hours.
Ludum Dare is an Online Game Jam event where people from around the world create a game in a weekend.
You have 48 hours to produce something good! In what language? I used to watch notch do it in java, but apparently you can do it in whatever language you like.
To reach more participants, web entries are best (Flash, Unity, Flixel, Flashpunk, HTML, etc). They’re quick to start playing, and cross platform.
I need to get into Unity a lot more to get into that kind of contest. Every year I'm telling myself "next year I'll do the lundum dare"....
posted April 2014
So, the team behind OpenBSD has forked OpenSSL to create LibreSSL. They're rewriting code, they already found several bugs.
You can check what they do with some awesome journalism here.
I remember a time where people would advise to just hash the password with md5 before storing it into a database.
Then md5 became a bad choice because of the rainbow tables (precomputed tables of md5). The concept of salt helped (adding a secret value to passwords before hashing them).
But hash were never meant for encrypting passwords. As KDF. But KDF seems to be better a fit for that kind of task.
See Ty's blog post "please stop hashing passwords". He makes good points and advise using those following KDFs for the job:
Scrypt is the one used in Litecoin by the way.
A few hours after the start of the Heartbleed challenge, actually, just 3 hours after the start of the Heartbleed challenge. Fedor Indutny seems to have cracked it.
So now, chaos begins. If you own a certificate, you not only have to change it, but you also have to revoke it. I wonder how many will change, and how many will revoke.
You can check that he indeed did it by doing this:
Just to confirm it: put this into your /etc/hosts “22.214.171.124 http://www.cloudflarechallenge.com ” and visit “https://www.cloudflarechallenge.com/ “.
here why it works:
Putting that mapping in /etc/hosts lets your machine skip DNS lookup for that hostname, and just use his IP for that domain name.
Then, your browser checks the received certificate against the authenticated TLS connection, and sees that all is well, allowing you to connect without a warning.
Since the browser does not warn of a certificate mismatch, he must have a valid certificate for 'cloudflarechallenge.com'. QED.
The Cloudflare team reviewing the attack:
NSA is not happy. NSA is tweeting, tumblring (is this a verb?) and shouting loud and for all of who wants to hear it : they didn't know about the Heartbleed bug.
by the way they're talking about a "zero day" vulnerability, and now is a good time to learn what it is:
a so-called “Zero day” vulnerability because the developers of the vulnerable software have had zero days to fix it
I'm akin to trust them since... well. So many US websites were using OpenSSL and... it's not really nice if someone else eavesdrop on american citizen...
Anyway, this shows that the NSA has a long way to build trust again.
Cloudflare's engineers have set up a server vulnerable to Heartbleed, if you find the secret SSL keys and publish your solution you'll get 10,000$. The challenge is here and there's a blog post here.
an attacker can get up to 64kB of the server’s working memory. This is the result of a classic implementation bug known as a Buffer over-read
Apparently it is not known if it is possible or not to find those keys. If it appears to be possible the results would be catastrophic as every single website that has used OpenSSL would have to revoke and ask for a new certificate. And as Cloudflare says:
the certificate revocation process is far from perfect and was never built for revocation at mass scale.
So it would then be very easy for any server to pretend they're someone else.
A heartbeat is a message that is sent to the server just so the server can send it back. This lets a client know that the server is still connected and listening. The heartbleed bug was a mistake in the implementation of the response to a heartbeat message.
This is the code in question:
p = &s->s3->rrec.data
hbtype = *p++;
pl = p;
buffer = OPENSSL_malloc(1 + 2 + payload + padding);
bp = buffer;
memcpy(bp, pl, payload);
The team at Detectify found a way to access files on one of google's production server. Thanks to an old google product (google toolbar) that was using a poorly secured XML parser.
They just used a simple XXE attack where they uploaded a poisoned xml files and saw what the application printed back
a xxe looks like this:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
More on their blog
I found a pretty nice explanation of Heartbleed for the layman in this XKCD comic. Heartbleed is a recent and alarming vulnerability found in the OpenSSL toolkit that serves most of the application/websites today. To quote Schneier:
"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.
Here's the comic:
And if you want to dig a bit more into it, you can read some more explanations on security.stackexchange.
..We're proud to welcome Dr. Condoleezza Rice to our Board of Directors. When looking to grow our board, we sought out a leader who could help us expand our global footprint. Dr. Rice has had an illustrious career as Provost of Stanford University, board member of companies like Hewlett Packard and Charles Schwab, and former United States Secretary of State. We’re honored to be adding someone as brilliant and accomplished as Dr. Rice to our team.
People are not happy with that news.
When I knew you at Stanford I had the greatest admiration for your abilities and good sense. But now I cannot help but express to you my chagrin that the warm feelings I once had have basically evaporated. I hope you can pause to try to understand why this might be the case.
Don Knuth's open letter to Condoleezza Rice