david wong

Hey! I'm David, the author of the Real-World Cryptography book. I'm a crypto engineer at O(1) Labs on the Mina cryptocurrency, previously I was the security lead for Diem (formerly Libra) at Novi (Facebook), and a security consultant for the Cryptography Services of NCC Group. This is my blog about cryptography and security and other related topics that I find interesting.

Quick access to articles on this page:

more on the next page...

Git client vulnerability posted December 2014

A new vulnerability has been discovered on the git client. See Github's announcement

Repositories hosted on github.com cannot contain any of the malicious trees that trigger the vulnerability because we now verify and block these trees on push.

The official announcement and the updated and fixed version of git is here.

We used to allow committing a path ".Git/config" with Git that is running on a case sensitive filesystem, but an attempt to check out such a path with Git that runs on a case insensitive filesystem would have clobbered ".git/config", which is definitely not what the user would have expected. Git now prevents you from tracking a path with ".Git" (in any case combination) as a path component.

More information about the vulnerability here

Git maintains various meta-information for its repository in files in .git/ directory located at the root of the working tree. The system does not allow a file in that directory (e.g. .git/config) to be committed in the history of the project, or checked out to the working tree from the project. Otherwise, an unsuspecting user can run git pull from an innocuous-looking-but-malicious repository and have the meta-information in her repository overwritten, or executable hooks installed by the owner of that repository she pulled from (i.e. an attacker).

comment on this story

Bruce Schneier posted December 2014

Schneier just gave a talk on security at Qcon in San Francisco. It was recorded and you can watch that here.

It's a high level talk that brings a lot of interesting points, like how much do we trust our devices, how companies are often doing very bad things in term of security, ...

The psychologist he's talking about is Daniel Kahneman, who won the nobel prize in economics for his work on Prospect Theory.

Prospect theory is a behavioral economic theory that describes the way people choose between probabilistic alternatives that involve risk, where the probabilities of outcomes are known. The theory states that people make decisions based on the potential value of losses and gains rather than the final outcome, and that people evaluate these losses and gains using certain heuristics.

comment on this story

What might have been going on at Mtgox posted December 2014

I ran into an old post from nullc (Greg Maxwell one of the core Bitcoin developer) and it's interesting how small details might have been the fall of Mtgox.

First. You can't spend bitcoins you just mined.

Freshly generated Bitcoins (from mining) can not be spend until they are at least 100 blocks deep in the blockchain. This prevents the funds from vanishing forever if the chain reorgs.

see chain reorganization.

The term "blockchain reorganization" is used to refer to the situation where a client discovers a new difficultywise-longest well-formed blockchain which excludes one or more blocks that the client previously thought were part of the difficultywise-longest well-formed blockchain. These excluded blocks become orphans.
Chain reorganization is a client-local phenomenon; the entire bitcoin network doesn't "reorganize" simultaneously.

see orphan block.

An orphan block is a well-formed block which is no longer part of the difficultywise-longest well-formed blockchain.
The block reward in an orphaned block is no longer spendable on the difficultywise-longest well-formed blockchain; therefore whoever mined that block does not actually get the reward (or the transaction fees). This phenomenon must be taken into account by mining pools that use any payout strategy other than "proportional".

And here is a misunderstand of the padding of ECDSA (Elliptic Curve version of the Signature Scheme DSA) that might have be the problem:

This issue arises from several sources, one of them being OpenSSL's willingness to accept and make sense of signatures with invalid encodings. A normal ECDSA signature encodes two large integers, the encoding isn't constant length— if there are leading zeros you are supposed to drop them.
It's easy to write software that assumes the signature will be a constant length and then leave extra leading zeros in them.

comment on this story

Transform your messages into spam! posted December 2014

When you encrypt your mail through PGP or GPG it's great. But people can tell you're sending an important email. What if you could encrypt your message to something innocent? This is what spammimic does. It transforms your message into a spam message so no one can guess it's a legit message! This idea is so neat.

There is tons of spam flying around the Internet. Most people can't delete it fast enough. It's virtually invisible. This site gives you access to a program that will encrypt a short message into spam. Basically, the sentences it outputs vary depending on the message you are encoding. Real spam is so stupidly written it's sometimes hard to tell the machine written spam from the genuine article.

The encrypted messages look like that:

Dear Friend ; Thank-you for your interest in our publication 
  . If you no longer wish to receive our publications 
  simply reply with a Subject: of "REMOVE" and you will 
  immediately be removed from our club ! This mail is 
  being sent in compliance with Senate bill 1626 ; Title 
  . Why work for somebody else when you can become rich 
  as few as 10 WEEKS ! Have you ever noticed more people 
  than ever are surfing the web plus nearly every commercial 
  on television has a .com on in it ! Well, now is your 
  chance to capitalize on this . We will help you process 
  your orders within seconds and deliver goods right 
  to the customer's doorstep ! You are guaranteed to 
  succeed because we take all the risk . But don't believe 
  us ! Prof Simpson who resides in Illinois tried us 
  and says "Now I'm rich, Rich, RICH" . This offer is 
  100% legal ! We BESEECH you - act now . Sign up a friend 
  and you'll get a discount of 20% . God Bless ! Dear 
  Friend , Especially for you - this amazing news ! We 
  will comply with all removal requests . This mail is 
  being sent in compliance with Senate bill 1618 ; Title 
  2 , Section 301 . This is not multi-level marketing 
  ! Why work for somebody else when you can become rich 
  in 58 weeks ! Have you ever noticed people will do 
  almost anything to avoid mailing their bills plus most 
  everyone has a cellphone ! Well, now is your chance 
  to capitalize on this ! We will help you SELL MORE 
  and increase customer response by 170% ! You are guaranteed 
  to succeed because we take all the risk . But don't 
  believe us . Mr Jones of Georgia tried us and says 
  "Now I'm rich many more things are possible" ! This 
  offer is 100% legal ! So make yourself rich now by 
  ordering immediately ! Sign up a friend and you'll 
  get a discount of 60% . Best regards !
comment on this story

Hacking PayPal Accounts with one click posted December 2014

An interesting 0day on paypal was discolsed by Yasser Ali.

We have found out that an Attacker can obtain the CSRF Auth which can be valid for ALL users, by intercepting the POST request from a page that provide an Auth Token before the Logging-in process, check this page for the magical CSRF Auth “https://www.paypal.com/eg/cgi-bin/webscr?cmd=_send-money”. At this point the attacker Can CSRF “almost” any request on behave of this user.


A CSRF attacks (Cross-Site Request Forgery) happens when you can send a link to someone (or embed it into an iframe on your website) and it makes the user do something on a particular website (like paypal) that he didn't intend to do. Or as the name of the attack says, it makes him send a request you forged from outside the website. A CSRF token is used to cancel this attack. It's usually a random value that is send along the request and verified server side. This value is difficult to predict and thus you usually can't forge it along the request.