A Brief History of NSA Backdoors. posted February 2015

here's an entertaining piece about NSA backdoors through history: http://ethanheilman.tumblr.com/post/70646748808/a-brief-history-of-nsa-backdoors

1997 Lotus Notes: The NSA requested that Lotus weaken its cryptography so that the NSA could break documents and emails secured by Lotus notes. This Software was used by citizens, companies and governments worldwide.

I talked about this one here.

Firefox Time Tracker : update 2 posted February 2015

I shipped!

You can get the .xpi on the github repo. Just open it with Firefox and no restart is needed! (Ctrl+O in firefox)

For now it's very basic. You will see this icon next to the close button:

Yes I know I should create a custom icon :D but I was too busy coding. You will then see some basic statistics of the day.

I'm now working on making this page nice with pretty graphics and more statistics (week, month, tracking of the most visited website of the week...).

So if you want to try my plugin, know that it works (so far)! And that you should pay this blog a visit because I'm planning on updating it.

A tutorial on how to get into an admin account on ANY windows. posted February 2015

A step by step tutorial showing you how to get admin credentials on a windows machine: http://imgur.com/gallery/H8obU

tl;dr:

• reboot in start-up repair mode
• read privacy statement of one menu should open notepad
• thanks to notepad replace sethc 1 with cmd
• so now when you press 5 times on shift it will call cmd instead of sethc 1
• you know have a shell, use command net localgroup Administrators to get a list of the admins
• type net user <ACCOUNT NAME HERE> * to change one account's password.

If you're looking for a "fix", microsoft advise you to turn off sticky keys all completely

And here's another exploit for windows 98

Note that as soon as you can access the hard drive, you don't need to use the first trick and can switch around programs in system32 as you wish (except if windows is encrypted with bitlocker). For example you can do this with an ubuntu live cd and swap cmd with the magnifier tool and you will be able to do the same thing.

Firefox Time Tracker posted February 2015

I always thought I could reduce the amount of time slacking if I could track my time on facebook, reddit, hackernews... like I track my calories intake to reduce my weight. I couldn't find a good firefox plugin for that so I decided to make one.

I'm opensourcing the code right here: https://github.com/mimoo/FirefoxTimeTracker

I'm pretty surprised with Firefox SDK and it's actually easier than what I thought to build a browser plugin. It might also help that everything Mozilla documents is clear and pretty.

At the moment the code successfully logs the time passed on different websites across sessions. It just lacks nice graphs. If you want to try it just wait a couple days until I ship.

Kleptography: hidding a private key in plain sight posted January 2015

from wikipedia:

A kleptographic attack is an attack which uses asymmetric encryption to implement a cryptographic backdoor. For example, one such attack could be to subtly modify how the public and private key pairs are generated by the cryptosystem so that the private key could be derived from the public key. In a well-designed attack, the outputs of the infected cryptosystem would be computationally indistinguishable from the outputs of the corresponding uninfected cryptosystem. If the infected cryptosystem is a black-box implementation such as a hardware security module, a smartcard, or a Trusted Platform Module, a successful attack could go completely unnoticed.

I've seen implementations of this in the wild, here on reddit (python) and here on lobsters (C#)

Powerful Algorithms too complex to implement (stackexchange) posted January 2015

Here's a funny topic on CS Theory StackExchange: https://cstheory.stackexchange.com/questions/4491/powerful-algorithms-too-complex-to-implement?newreg=dbe44b3dd8ca41019f6a4a23b9fea6d3

What are some algorithms of legitimate utility that are simply too complex to implement?

Explanation of Shellshock posted January 2015

Here's an awesome explanation of shellshock: https://bitbucket.org/carter-yagemann/shellshock/src/f0a88573f912?at=master

This repository contains useful documents which I have written to help educate the cybersecurity community on the "ShellShock" bash vulnerability. These documents are designed to help facilitate learning, including on how to identify possibly vulnerable services and how to remediate such vulnerabilities.

It's actually the clearest explanation I've seen on the subject.

Made by these guys from Syracuse:

• Carter Yagemann
• Amit Ahlawat

One example of a crypto backdoor: NSA's backdoor in Lotus-Notes posted January 2015

Excellent finding from Adam Back.

If I understand the article correctly, when exporting encrypted content with Lotus-Notes, 24 bits of the 64 bits key would be encrypted under one of the NSA's public key and then appended to the encrypted content (I guess). This would allow NSA to decrypt those 24 bits of key with their corresponding private key and they would then have to brute force only 40 bits instead of 64 bits.

This shouldn't allow any bad attacker to get any advantage if they don't know the NSA's private key to decrypt those bits. And if they do acquire it, and they do decrypt 24bits of key, they would still have to have the computing power to brute force 40 bits of key. I have no idea what I'm talking about but I have the feeling the NSA might be the most powerful computing power when it comes to brute forcing ciphers.