2012 Dec 7, 2:07
Level 8 of the Stripe CTF is a password server that returns success: true if and only if the password provided matches the password stored directly via
a RESTful API and optionally indirectly via a callback URI. The solution is side channel attack like a timing attack but with ports instead of time.
(I found this in my drafts folder and had intended to post a while ago.)
Code
def nextServerCallback(self, data):
parsed_data = json.loads(data)
# Chunk was wrong!
if not parsed_data['success']:
# Defend against timing attacks
remaining_time = self.expectedRemainingTime()
self.log_info('Going to wait %s seconds before responding' %
remaining_time)
reactor.callLater(remaining_time, self.sendResult, False)
return
self.checkNext()
Issue
The password server breaks the target password into four pieces and stores each on a different server. When a password request is sent to the main server it makes requests to the sub-servers
for each part of the password request. It does this in series and if any part fails, then it stops midway through. Password requests may also be made with corresponding URI callbacks and after the
server decides on the password makes an HTTP request on the provided URI callbacks saying if the password was success: true or false.
A timing attack looks at how long it took for a password to be rejected and longer times could mean a longer prefix of the password was correct allowing for a directed brute force attack. Timing
attacks are prevented in this case by code on the password server that attempts to wait the same amount of time, even if the first sub-server responds with false. However, the server uses
sequential outgoing port numbers shared between the requests to the sub-servers and the callback URIs. Accordingly, we can examine the port numbers on our callback URIs to direct a brute force
attack.
If the password provided is totally incorrect then the password server will contact one sub-server and then your callback URI. So if you see the remote server's port number go up by two when
requesting your callback URI, you know the password is totally incorrect. If by three then you know the first fourth of the password is correct and the rest is incorrect. If by four then two
fourths of the password is correct. If by five then four sub-servers were contacted so you need to rely on the actual content of the callback URI request of 'success: true' or 'false' since you
can't tell from the port change if the password was totally correct or not.
The trick in the real world is false positives. The port numbers are sequential over the system, so if the password server is the only thing making outgoing requests then its port numbers will also
be sequential, however other things on the system can interrupt this. This means that the password server could contact three sub-servers and normally you'd see the port number increase by four,
but really it could increase by four or more because of other things running on the system. To counteract this I ran in cycles: brute forcing the first fourth of the password and removing any entry
that gets a two port increase and keeping all others. Eventually I could remove all but the correct first fourth of the password. And so on for the next parts of the password.
I wrote my app to brute force this in Python. This was my first time writing Python code so it is not pretty.
brute-force password python side-channel technical web 2011 Apr 14, 11:27If only all web compat issues were so easily fixed: "If someone knows about any websites I can personally take care of contacting them and trying to get them fixed."
w3c reference file api standard 2010 Mar 2, 5:25HTML5 Contacts API allows HTML pages access to a user's contacts info.
contact business-card html html5 api javascript technical w3c reference 2009 Mar 22, 10:33Bobby Moody contact info.
bobbi-moody home home-loan 2009 Feb 26, 11:52This is what I'd like in a newspaper: "1: Focus on original content, do not rewrite wire stories or press releases." and "2: Focus on hyper-local coverage, newspapers should "own" their regional beat
because they have the best contacts and the best understanding of local companies and issues."
via:sambrook newspaper advertising business journalism internet 2008 Sep 18, 10:05Sarah Palin's Yahoo email addresses were hacked. I agree with the commenter: "I was just about to post how I feel bad for her despite disagreeing with most of her politics. There are plenty of
legitimate reasons to attack her (or any politician), but this is clearly personal, not politics. From what I've read, this wasn't even the account she used for those communications she wanted to
hide from subpoena, so the vigilante justice angle is BS. This is just plain mean." Although the last sentence of the following made me laugh: "A good samaritan in the /b/ thread reset the password
account with the intention of handing it over to Palin, a process known on /b/ as "white knighting". This locked everyone else out of the account. The "white knight" posted a screenshot to /b/ of his
pending message to one of Palin's contacts about how to recover the account, but made the critical mistake of not blanking out the new password he set."
security politics hack privacy government legal email yahoo 2008 Sep 16, 3:57Interview with Ben Adida on RDFa: "...RDFa is ready. It has just been approved by the W3C as a Candidate Recommendation, with the specific text of the specification and a brand new Primer published
on June 20th. Y!: What can I do with RDFa? BA: You can tell the world what various components on your web page mean by marking up things like: The title of a photo Your name and contact information
The license under which you're distributing your latest MP3 The ingredients of a cooking recipe The price of an item A gene on which you recently wrote a paper ... Anything that you want to make more
machine-readable"
rdf microformats yahoo semantic interview ben-adida semanticweb via:felix42 2008 Sep 11, 1:02Register to vote in Washington State online. "You must complete a voter registration form if you are registering for the first time in Washington or if you have moved to a new county. If you have
moved within the same county, you may transfer your registration by completing a new form or contacting your County Auditor by mail, email, or phone. There is no registration by political party in
Washington state."
politics government vote washington elections registration 2008 May 12, 4:05
Sarah and I have finished playing through the games "Paper Mario", "Paper Mario: The Thousand-Year Door", and "Super Paper Mario" last week (including the various Pits of 100 Trials). We played
them all on the Wii, because even though Super Paper Mario was the only one released explicitly for that platform, Wii maintains compatibility with Game Cube games such as Thousand-Year Door and
Paper Mario although originally released for the Nintendo 64 is now available as a pay for download game on the Wii's Virtual Console. So, yay for Nintendo!
I think my favorite of the three is Thousand-Year Door mostly because of the RPG attack system. In Thousand-Year Door and Paper Mario when you come into contact with an enemy you go into an RPG
style attack system where you take turns selecting actions. In Super Paper Mario you still have hit points and such, but you don't go into a turn based RPG style attack system, rather you do the
regular Mario jumping on bad guys thing (or hitting them with a mallet etc...). Thousand-Year Door and Paper Mario are very similar in terms of game play but Thousand-Year Door looks very pretty
and has made improvements to how your party-mates are handled in battle (they have HP and can fall as you would expect) and there's an audience that cheers you on during your battles.
Even if the gameplay sucked the humor throughout the series might be tempting enough. Mario's clothing and mustache are mocked throughout and standard RPG expectations are subverted. I hate to
describe any of these moments for fear of ruining anything but, for instance, an optional and very difficult enemy who may only be killed after hours of work only results in one experience point,
or a very intimidating enemy who you imagine you'll have to fight actually challenges you to a quiz.
Despite how I personally rank them, all the games are great and I'd recommend any of them.
mario videogame paper mario nontechnical 2004 Apr 22, 6:44My interview was scheduled for Monday starting at 8am, so when I signed up for the trip and MS suggested a departure time of 4:30pm on Monday I thought that'd be good. Unfortunately the entire
process ended at 4:15pm and it takes a little more than 15 minutes to get from Redmond to Seattle and then through the whole airport deal. So after the taxi ride to the airport and waiting in line
for like 20 minutes its 5:30pm and I'm at the front of the line asking this woman for a new ticket.
Woman: *typing* Well I can get you to LA... Me: Yeah well that's the right state. Woman: *still typing* Oh... Hmm... Uhoh... *other non-words* Me: *waiting patiently* ... Woman: Are you ready
to run? Here's your ticket. Gate C11.
I look at the ticket and the plane's boarding at, what do you know?, 5:30pm. So yeah I start running. I hit the security check point line and I know all about this. I take off my belt and shoes
and empty my pockets into my backpack, my only luggage. I am Mr. Prepared, or maybe Prepared-ness is my middle name, whatever. I get through the line with no problem, put on my backpack and holding
my shoes and belt in one hand I notice a big old clock just to my left. While I'm staring at it, it changes from 5:42 to 5:43. "Oh shit!" I think, so I start running again. I finally get to the
appropriate gate and get on the plane all out of breath. I'm walking down the aisle with shoes and belt in hand, and I guess I look a bit out of sorts. I sit in my seat and I'm telling the guy next
to me about my whole deal: "Ha. Yeah. I was late and with the running and the security checkpoint..." into incoherent mumbling and gesturing. So it turns out the pilot and copilot's incoming flight
was way late and I ended up sitting in my seat for another 15 minutes before we could take off. All that wasted running. What a shame. Coming into LA we've been "landing" for like 20 minutes. We
finally get on the ground and its 30 minutes passed the boarding time of my connecting flight. I start thinking about anyone I know who lives in LA. All the other passengers stand up and block the
aisle. Then, an announcement "Will Daniel Riesney please come to the front of the plane." OK I can tell that's supposed to be my name, but how the hell am I supposed to get to the front of the plane?
The people near me who have heard me talking to the guy next to me about this let me past easily enough. But now I have to explain this to each person out of ear shot to further my progress. "Hi.
Excuse me. They called me to the front of the plane. Pardon me. Can I get by." And so on. Its getting more hostile the closer I get to first class. Up to this one guy. He's trying to talk on his cell
phone but its not working because everybody is trying to talk on their cell phone now that we've landed. His phone connection has failed. I can't guess at what else has happened to him today but he's
decided to make his Custerian last stand here between me and the rest of the plane.
Me: *continuing from previous passengers* Excuse me. Pardon me. Guy: *spinning around* WHAT!? Me: Can I please get by? Guy: What? Why? Were not going anywhere! This whole time I've been
forcing my way past him. Guy: There OK your past me now! Your several feet ahead of me! Congratulations! Me: Dude, I'm sorry they called me to the front of the plane. Guy: I find that highly
unlikely!
Whatever. I keep walking and like 7 people past the asshole I guess the flight attendants give up on me and start letting people off the plane. Now who feels like an asshole? Its me. I get off
the plane and some airport guy has a new schedule for me. Oh good I'm thinking, I've got an hour until the next flight's boarding time at 10:30pm. So I get on a tram to travel to the other side of
LAX. I wait for oncoming traffic to stop so I can climb up a stopped escalator (Incidentally right next to it is another escalator which has been closed off. Why would they do that? Escalators cannot
break they just become stairs.) I get up there and wait in line for an extreeeeme amount of time and finally get up to claim my ticket. Its 10:20. I get my ticket and, yeah, the departure time is
10:30, the boarding time is 10:10. So I start running again. More security check fun. I finally find my boarding gate. I rush up...
Me: *breathing heavy* Here's my ticket Lady: Oh good your finally here. Just go right out that door, *points* down the stairs, *more pointing* and wait for the tram.
WHAT? Isn't there supposed to be a PLANE somewhere? This is what I'm thinking not what I'm saying. So I walk outside and down these steps. And I'm waiting. The lady from inside joins me.
*awkward silence* Lady: The bus should be here pretty soon. Me: So... I'm going to miss my plane huh? Lady: Oh no, see here? *points at my ticket* Your ticket is confirmed so they can't leave
without you. Me: Oh good... I hope they didn't tell the other passengers that.
Lets see how many passengers I can piss off in one night. Eventually this bus shows up. I get in and the guy starts driving. "Do you know where I'm going?" I ask. "Yeah" the guy says. Great.
Fine. Whatever. I don't care anymore. So we drive back around to the OTHER SIDE of the airport. You know, the side I started on. Yeah that side. So I get off the bus and walk into the small building
set aside for smaller airlines. I see the frantic looking ladies manning another of these gates. They see me, check my ID and ticket, and one of them ushers me out the door next to the gate. Out the
door and into a small gated area outside. So me and this new lady are just standing here. Even had I the energy to ask her what was going on its very loud what with all the planes. So we just stand
here at this gate facing the planes for a while. I look at her trying to make eye contact and get some sort of acknowledgment that we are in fact waiting for SOMETHING. Eventually one of the day-glow
guys appears from between some planes and saunters up. The lady hands him a paper and walks away. At the time I was kind of offended but looking back on it, maybe the lady was a deaf mute and I'm the
one being insensitive. So now I follow this guy through a bunch of planes. I'm yelling "San Luis Obispo?" trying to be heard over all the ambient noise and this guy is somehow responding to me with
an even tone no yelling required. I don't know how he did that. We finally get to the plane and its 10:40. So I delayed the flight ten minutes. I'm thinking its going to be really awkward when I sit
down and we immediately leave. Its going to be suspicious even. But, not to worry, we wait while the flight attendant argues with the guy who brought me to the plane for another ten minutes about how
many people are supposed to be on the plane. Whatever.
Some rights reserved