post page 6 - Dave's Blog

Search
My timeline on Mastodon

laughingsquid: Everybody Wants to Kill Bruce Willis, An Action...

2013 Mar 26, 7:47


laughingsquid:

Everybody Wants to Kill Bruce Willis, An Action Movie Mashup

PermalinkCommentshumor video bruce-willis

laughingsquid: ‘Veronica Mars’ TV Show Attempts to Make a Film...

2013 Mar 13, 11:38


laughingsquid:

‘Veronica Mars’ TV Show Attempts to Make a Film Via Crowdfunding

PermalinkCommentsveronica-mars movie kickstarter

laughingsquid: New & Necessary Punctuation Marks

2013 Feb 25, 9:01


laughingsquid:

New & Necessary Punctuation Marks

PermalinkCommentshumor punctuation internet

laughingsquid: The Truth About Phones on Airplanes

2013 Jan 7, 11:57


laughingsquid:

The Truth About Phones on Airplanes

PermalinkComments

laughingsquid: Stick-N-Find, Tiny Bluetooth Stickers Help You...

2013 Jan 4, 5:35


laughingsquid:

Stick-N-Find, Tiny Bluetooth Stickers Help You Keep Track of Things

PermalinkComments

laughingsquid: Blind Man Shows How Blind People Use Instagram

2013 Jan 4, 5:34


laughingsquid:

Blind Man Shows How Blind People Use Instagram

PermalinkComments

thefrogman: Peanuts / Army of Darkness (Evil Dead III) tribute...

2012 Dec 27, 7:15


thefrogman:

Peanuts / Army of Darkness (Evil Dead III) tribute by Justin Hillgrove [website]

PermalinkCommentshumor peanuts army-of-darkness zombie

Stripe CTF - Level 8

2012 Dec 7, 2:07
Level 8 of the Stripe CTF is a password server that returns success: true if and only if the password provided matches the password stored directly via a RESTful API and optionally indirectly via a callback URI. The solution is side channel attack like a timing attack but with ports instead of time.

(I found this in my drafts folder and had intended to post a while ago.)

Code

    def nextServerCallback(self, data):
parsed_data = json.loads(data)
# Chunk was wrong!
if not parsed_data['success']:
# Defend against timing attacks
remaining_time = self.expectedRemainingTime()
self.log_info('Going to wait %s seconds before responding' %
remaining_time)
reactor.callLater(remaining_time, self.sendResult, False)
return

self.checkNext()

Issue

The password server breaks the target password into four pieces and stores each on a different server. When a password request is sent to the main server it makes requests to the sub-servers for each part of the password request. It does this in series and if any part fails, then it stops midway through. Password requests may also be made with corresponding URI callbacks and after the server decides on the password makes an HTTP request on the provided URI callbacks saying if the password was success: true or false.
A timing attack looks at how long it took for a password to be rejected and longer times could mean a longer prefix of the password was correct allowing for a directed brute force attack. Timing attacks are prevented in this case by code on the password server that attempts to wait the same amount of time, even if the first sub-server responds with false. However, the server uses sequential outgoing port numbers shared between the requests to the sub-servers and the callback URIs. Accordingly, we can examine the port numbers on our callback URIs to direct a brute force attack.
If the password provided is totally incorrect then the password server will contact one sub-server and then your callback URI. So if you see the remote server's port number go up by two when requesting your callback URI, you know the password is totally incorrect. If by three then you know the first fourth of the password is correct and the rest is incorrect. If by four then two fourths of the password is correct. If by five then four sub-servers were contacted so you need to rely on the actual content of the callback URI request of 'success: true' or 'false' since you can't tell from the port change if the password was totally correct or not.
The trick in the real world is false positives. The port numbers are sequential over the system, so if the password server is the only thing making outgoing requests then its port numbers will also be sequential, however other things on the system can interrupt this. This means that the password server could contact three sub-servers and normally you'd see the port number increase by four, but really it could increase by four or more because of other things running on the system. To counteract this I ran in cycles: brute forcing the first fourth of the password and removing any entry that gets a two port increase and keeping all others. Eventually I could remove all but the correct first fourth of the password. And so on for the next parts of the password.
I wrote my app to brute force this in Python. This was my first time writing Python code so it is not pretty.
PermalinkCommentsbrute-force password python side-channel technical web

laughingsquid: Solitaire.exe, A Real Deck of Cards Inspired by...

2012 Nov 19, 4:56


laughingsquid:

Solitaire.exe, A Real Deck of Cards Inspired by the Windows 98 Solitaire PC Game

PermalinkCommentshumor solitare game cards windows

laughingsquid: Windows 95 Tips, Tricks, and Tweaks Some very...

2012 Nov 14, 5:39


laughingsquid:

Windows 95 Tips, Tricks, and Tweaks

Some very H. P. Lovecraft style redesigns of some classic Win95 UI.

PermalinkCommentshorror humor windows windows-95

thebluthcompany: Hey, guys, remember this? Please don’t forget...

2012 Nov 7, 6:06




thebluthcompany:

Hey, guys, remember this?

Please don’t forget to go out and vote! Find you polling place here.


Voting complete. Now we get more Arrested Development.

PermalinkCommentshumor vote election obama arrested-development

DSL modem hack used to infect millions with banking fraud malware | Ars Technica

2012 Oct 1, 6:33

According to the links within this article, although the root URI of the router requires authentication, the /password.cgi URI doesn’t and the resulting returned HTML contains (but does not display) the plaintext of the password, as well as an HTML FORM to modify the password that is exploitable by CSRF.

The attack… infected more than 4.5 million DSL modems… The CSRF (cross-site request forgery) vulnerability allowed attackers to use a simple script to steal passwords required to remotely log in to and control the devices. The attackers then configured the modems to use malicious domain name system servers that caused users trying to visit popular websites to instead connect to booby-trapped imposter sites.

PermalinkCommentstechnical security html router web dns csrf

Ben Goldacre’s TED talk on publication bias, drug...

2012 Sep 28, 3:55


drug companies hiding the results of clinical trials.

(via I did a new talk at TED, on drug companies and hidden data.)

PermalinkCommentsscience video ted

laughingsquid: hi-Call, A Bluetooth Handset Glove

2012 Sep 26, 6:24


laughingsquid:

hi-Call, A Bluetooth Handset Glove

PermalinkCommentshumor phone cell-phone blue-tooth video

laughingsquid: The Curious Government of the City of London...

2012 Sep 21, 6:10


laughingsquid:

The Curious Government of the City of London (not to be confused with London)

PermalinkCommentslondon politics history video humor

Patent Office tries “Stack Overflow for patents” to find prior art | Ars Technica

2012 Sep 20, 2:27

Welcome news. Glad to hear they’re looking for improvements.

… the USPTO has also worked with Stack Exchange, … to create a new site called Ask Patents. … Examiners or others looking for prior art can post questions about a specific application, and members of the general public can respond with evidence that an applicant was not the first to invent the subject matter of the application.

PermalinkCommentsip law patent stack-exchange technical uspto

laughingsquid: Photos: MakerBot Retail Store in Manhattan

2012 Sep 20, 2:14


laughingsquid:

Photos: MakerBot Retail Store in Manhattan

PermalinkComments3d-printer maker-bot retail

theatlantic: How the 8.5” x 11” Piece of Paper Got Its...

2012 Sep 19, 6:37


theatlantic:

How the 8.5” x 11” Piece of Paper Got Its Size

Why do we use a paper size that is so unfriendly for the basic task of reading? According to a very interesting post by Paul Stanley, the rough dimensions of office paper evolved to accommodate handwriting and typewriters with monospaced fonts, both of which rendered many fewer characters per line. “Typewriters,” he explains, “produced 10 or 12 characters per inch: so on (say) 8.5 inch wide paper, with 1 inch margins, you had 6.5 inches of type, giving … around 65 to 78 characters.” This, he says, is “pretty close to ideal.”

Read more. [Image: Picsfive/Shutterstock]

PermalinkCommentstechnical paper history

laughingsquid: Amp Tee, A Geeky T-Shirt Bringing Together Music...

2012 Sep 18, 2:37


laughingsquid:

Amp Tee, A Geeky T-Shirt Bringing Together Music And HTML Code

PermalinkCommentshumor html ampersand amp shirt t-shirt

New Deal With It

2012 Sep 17, 4:41

nickholmes:

Thanks Internet. 

PermalinkCommentshumor president new-deal
Older EntriesNewer Entries Creative Commons License Some rights reserved.