The C programming language is not memory safe and it is not type safe....
I recently started using the Nix Package Manager on macOS and the process has been painful. In this post, I’m going to write down how I’m currently using Nix on macOS with the Zsh shell....
The US National Security Agency’s backdoored pseudo random generator, Dual_EC_DRBG, being subverted in Juniper Network’s NetScreen is devices back in the news again. In brief, Bloomberg is reporting that Chinese state-sponsored hackers were responsible for inserting code in Juniper’s ScreenOS operating system which rekeyed an existing backdoor which allowed passive decryption of network traffic and installing a separate backdoor which allowed administrator access to the devices running ScreenOS....
Git is ridiculous....
TypingDNA Authenticator is browser-based authenticator app that is designed to replace mobile phone authenticator apps like Google Authenticator and Duo Mobile. Like Google Authenticator and Duo Mobile, TypingDNA Authenticator uses Time-based One-Time Passwords (TOTP) to produce short codes that users use as a second factor (alongside traditional user names and passwords) to log in to websites....
I have been using Duplicity to back up one of my Linux servers for several years now. Duplicity supports quite a few network protocols for connecting to file servers, including commercial servers like Amazon S3, Google Drive, and Microsoft Azure. For my personal use, I’ve only used its ability to use SSH to back up to a small NAS. I have not been completely happy with Duplicity, but I have successfully used it to restore data lost from a hard drive failure so I’ve continued using it. Recently, I’ve discovered a number of issues, one of which I want to briefly discuss here, namely performance....
As the TLS 1.3 standardization process (hopefully) comes to a close, there has been some drama on the TLS WG mailing list and at the recent IETF 99 meeting in Prague regarding the use of TLS 1.3 in enterprise networks. This is a surprisingly contentious and important topic that I suspect many people who don't follow protocol development closely may have missed. Below, I'm going to try to describe the various points of view from a (mostly) nontechnical perspective and the arguments that have been advanced. Then, I'll briefly conclude with my thoughts on the topic....
Every now and then, I find myself wanting to turn Tweets into high-quality images. My main reason for doing so is to include an image of the tweet in a presentation. The normal procedure I follow is simple:...
Update (2016-11-01): The Radare2 creator has informed me that all of the issues I mention below have been fixed....
Kaspersky Lab recently published a blog post Rare implementation of RC5/RC6 in ‘ShadowBrokers’ dump connects them to Equation malware in which they analyze the RC6 block cipher implementation used in the recent ShadowBrokers release and compare it to the earlier Equation Group malware they found. They conclude that since all of the implementations they examined contain an RC6 constant in its negated form, it must be from the same authors since that’s so unusual. Their analysis is wrong....
Yesterday, Matt Green asked me to take a look one of the leaked NSA tools, SECONDDATE, to try to confirm some of its behavior. See Sam Biddle’s Intercept article for details on that....
A group calling itself the “Shadow Brokers” claimed to have stolen some of the NSA’s “Equation Group’s” “cyber weapons.” A sample of the tools were made publicly available with the others supposed available to the winner of an auction. The Washington Post is reporting that these are legitimate NSA tools....
I’ve recently been hacking on compilers and have been interested in the issues surrounding them for quite a while now. I just recently came across Ian Lance Taylor’s old series of blog posts on linkers. I didn’t see an easy way to read them one after another so below I’ve collected links to all of the posts in the series....
Don’t unpickle a Python pickle that you did not create yourself from known data. That’s old news. The Python documentation for the pickle module clearly states,...
pickle
During a conference call between the Office of the Director of National Intelligence (ODNI), the NSA, and reporters regarding the recently declassified FISA Court (FISC) order, the Obama Administration explained how it was over collecting data. The problem, they claim, has to do with what the FISC opinion called MCTs or “multi communication transactions.” They give an example:...
Recently, former NSA director Gen. Michael Hayden wrote this about Edward Snowden,...
For a while now, I’ve contemplated writing a musing entitled something like “Stewart Baker Thinks We’re on Star Trek” due to his lack of understanding of basic computer and networking technology and his willingness to make policy recommendations that are inane at best and down-right dangerous (as in life-threatening) at worst....
Microsoft recently announced the winners of its BlueHat Prize Contest. The goal of the contest was to develop a defense against Return-Oriented Programming (ROP). Vasilis Pappas, Ivan Fratric, and Jared DeMott won a combined total of $260,000 with Vasilis Pappas winning the lion’s share ($200,000) for his kBouncer mitigation measure. Unfortunately for Microsoft, all three of these defenses are already broken....
A friend of mine pointed me toward a 2011 article Women’s Equality Day: What the Heck Do I Tell My Daughter? this evening. I found it an interesting read but it contains a sentence that really caught my attention, “Further, studies have found that with EQUAL resumes, women with children are up to 100 percent less likely to be hired than women without children.” This is a shocking statement. It is saying that studies have found that mothers will not be hired if there is an equivalently qualified nonmother. (Okay, it says “up to,” but let’s ignore that for now.)...
This year, I’ve been flying a lot. I’m over fifty thousand miles traveled since January 31st. This is more flying in two and a half months than I’ve ever done in a year before. One consequence of this is I’m really quite familiar with the procedure for refusing a full body scan. It goes roughly like this....
I’ve occasionally wondered how it is that a computer gets from its power on state to running an operating system. Today I decided to take a look at a small piece of that puzzle by examining a bootloader for an embedded x86 system I was hoping to reverse engineer at some point in the future. This particular machine runs the pSOS real-time operating system on a 486. I had some trouble figuring out where the firmware is actually loaded into memory by cursory examination and googling so I opted to break out IDA Pro and actually take a look at what goes on....
Recently, Orin Kerr rightly pointed out that adding a line to the end of your email pointing out that it is covered by the Electronic Communications Privacy Act is silly because all emails are so protected and, further, once the email is delivered, the relevant federal law no longer applies. As a computer scientist, I’m left wondering exactly what it means to be delivered in this context....
Recently, I was reminded that I appeared in a newspaper....
After I presented “Are Text-Only Data Formats Safe? Or, Use This LaTeX Class File to Pwn Your Computer” at LEET 2010, I was asked if I planned to do any more research on TeX. My answer was no. It was a fun little project to do but not really part of my Research AgendaTM. Imagine my surprise to find myself once again writing about TeX hacking....
Over at the Lawfare blog, Benjamin Wittes weighs in on being groped by the TSA....
In the past few years, I’ve spent a fair bit of time disassembling code for embedded devices. Over time, I’ve built up mental lists of properties that embedded devices can have that facilitate or frustrate disassembly. I’m sure that by now, I’ve forgotten some of these properties, so I decided it was time to make some lists....