2015 Feb 17, 5:53
2015 Feb 17, 5:53 2012 Dec 7, 2:07
Level 8 of the Stripe CTF is a password server that returns success: true if and only if the password provided matches the password stored directly via
a RESTful API and optionally indirectly via a callback URI. The solution is side channel attack like a timing attack but with ports instead of time.
(I found this in my drafts folder and had intended to post a while ago.)
Code
def nextServerCallback(self, data):
parsed_data = json.loads(data)
# Chunk was wrong!
if not parsed_data['success']:
# Defend against timing attacks
remaining_time = self.expectedRemainingTime()
self.log_info('Going to wait %s seconds before responding' %
remaining_time)
reactor.callLater(remaining_time, self.sendResult, False)
return
self.checkNext()
Issue
The password server breaks the target password into four pieces and stores each on a different server. When a password request is sent to the main server it makes requests to the sub-servers
for each part of the password request. It does this in series and if any part fails, then it stops midway through. Password requests may also be made with corresponding URI callbacks and after the
server decides on the password makes an HTTP request on the provided URI callbacks saying if the password was success: true or false.
A timing attack looks at how long it took for a password to be rejected and longer times could mean a longer prefix of the password was correct allowing for a directed brute force attack. Timing
attacks are prevented in this case by code on the password server that attempts to wait the same amount of time, even if the first sub-server responds with false. However, the server uses
sequential outgoing port numbers shared between the requests to the sub-servers and the callback URIs. Accordingly, we can examine the port numbers on our callback URIs to direct a brute force
attack.
If the password provided is totally incorrect then the password server will contact one sub-server and then your callback URI. So if you see the remote server's port number go up by two when
requesting your callback URI, you know the password is totally incorrect. If by three then you know the first fourth of the password is correct and the rest is incorrect. If by four then two
fourths of the password is correct. If by five then four sub-servers were contacted so you need to rely on the actual content of the callback URI request of 'success: true' or 'false' since you
can't tell from the port change if the password was totally correct or not.
The trick in the real world is false positives. The port numbers are sequential over the system, so if the password server is the only thing making outgoing requests then its port numbers will also
be sequential, however other things on the system can interrupt this. This means that the password server could contact three sub-servers and normally you'd see the port number increase by four,
but really it could increase by four or more because of other things running on the system. To counteract this I ran in cycles: brute forcing the first fourth of the password and removing any entry
that gets a two port increase and keeping all others. Eventually I could remove all but the correct first fourth of the password. And so on for the next parts of the password.
I wrote my app to brute force this in Python. This was my first time writing Python code so it is not pretty.
brute-force password python side-channel technical web 2012 Jul 16, 1:59
Former FireFox developer on the switch to their continuous update cycle.
Oh no, Chrome is doing such-and-such; we’d better do something equivalent or we’ll fall behind! We thought we needed a rapid update process like Chrome. We were jealous of their rapid update
capability, which let them deploy improvements to users continuously. We had to “catch up” with Chrome’s updating capability.
Dealing with servicing on IE for years had led me to some of the same thoughts when I heard FireFox was switching to continuous updates.
firefox via:ericlaw web-browser technical web browser servicing update software 2012 May 11, 6:28
We never recovered the bicycle, of course. The lock itself wasn’t attacked at all, as you can see.
technical moral-of-the-story security via-ericlaw lock 2010 Mar 11, 4:26The iPhone application lifecycle.
iphone apple development technical sdk reference 2010 Mar 10, 5:21The lifecycle of an Android application. How to gracefully handle getting paused, stopped, etc.
android activity application technical programming lifecycle 2009 Aug 21, 9:01Humorous no reward bike missing signs.
humor bike missing sign photo 2009 Jul 31, 6:04An electric unicycle controlled in a similar manner as the Segway.
humor photo unicycle transportation segway diy hardware howto via:swannman 2009 Jul 27, 11:28Olivia Wilde (I know her from House) who will appear in Tron Legacy gives an interview at Comic-Con that includes "...her experiences working with Jeff Bridges (she had to put her fist in her mouth
to not ask about “The Dude”)."
humor interview house olivia-wilde tron tron-legacy wired jeff-bridges dude video 2009 Jul 23, 10:22Using dumpsters (clean ones) as pools
dumpster pool recycle 2009 Apr 7, 11:58
This past week I finished Anathem and despite the intimidating physical size of the book (difficult to take and read on the bus) I became very engrossed and was able to finish it in several orders of
magnitude less time than
what I spent on the Baroque
Cycle. Whereas reading the Baroque Cycle you can imagine Neal Stephenson sifting through giant economic tomes (or at least that's where my mind went whenever the characters began to explain
macro-economics to one another), in Anathem you can see Neal Stephenson staying up late
pouring over philosophy of mathematics. When not
exploring philosophy, Anathem has an appropriate amount of humor, love interests, nuclear bombs, etc. as you might hope from reading Snow Crash or Diamond Age. I thoroughly enjoyed Anathem.
On the topic of made up words: I get made up words for made up things, but there's already a name for cell-phone in English: its "cell-phone". The narrator notes that the book has been translated
into English so I guess I'll blame the fictional translator. Anyway, I wasn't bothered by the made up words nearly as much as some folk. Its a good thing I'm long
out of college because I can easily imagine confusing the names of actual concepts and people with those from the book, like Hemn space for Hamming distance. Towards the beginning, the description
of slines and the post-post-apocalyptic setting reminded me briefly of Idiocracy.
Recently, I've been reading everything of Charles Stross that I can, including about a month ago, The Jennifer Morgue from the surprisingly awesome amalgamation genre of spy thriller and Lovecraft
horror. Its the second in a series set in a universe in which magic exists as a form of mathematics and follows Bob Howard programmer/hacker, cube dweller, and begrudging spy who works for a
government agency tasked to suppress this knowledge and protect the world from its use. For a taste, try a short story from the series that's freely available on Tor's website, Down on the Farm.
Coincidentally, both Anathem and the Bob Howard series take an interest in the world of Platonic ideals. In the case of Anathem (without spoiling anything) the universe of Platonic ideals, under a
different name of course, is debated by the characters to be either just a concept or an actual separate universe and later becomes the underpinning of major events in the book. In the Bob Howard
series, magic is applied mathematics that through particular proofs or computations awakens/disturbs/provokes unnamed horrors in the universe of Platonic ideals to produce some desired effect in
Bob's universe.
atrocity archives neal stephenson jennifer morgue plato bob howard anathem 2009 Jan 7, 6:15Ridiculously awesome creations of odd bicycles and creative things made from bicycle parts: "Introducing Cyclecide, an inventive band of Bay Area performance artists who make creations out of
materials from the junkyard. These Makers create everything from amusement park rides to outrageous bicycle contraptions to found-object sculpture."
video make bicycle tv 2008 Oct 13, 2:40Watch out for too good to be true washing services (or free network traffic anonymization): "The laundry would then send out "color coded" special discount tickets, to the effect of "get two loads
for the price of one," etc. The color coding was matched to specific streets and thus when someone brought in their laundry, it was easy to determine the general location from which a city map was
coded. While the laundry was indeed being washed, pressed and dry cleaned, it had one additional cycle -- every garment, sheet, glove, pair of pants, was first sent through an analyzer, located in
the basement, that checked for bomb-making residue." From the comment section of Schneier on Security on this topic: "Yet another example of how inexpensive, reliable home washers and dryers help
terrorists. When will we learn?"
security history laundromat ira terrorism bomb 2008 May 18, 6:45
While re-reading Cryptonomicon I thought
about what kind of information I'm leaking by posting links on Delicious. At work I don't post any Intranet websites for fear of revealing anything but I wondered if not posting would reveal
anything. For instance, if I'm particularly busy at work might I post less indicating something about the state of the things I work on? I got an archive of my Delicious posts via the Delicious API
and then ran it through a tool I made to create a couple of tables which I've graphed on Many Eyes
I've graphed my posts per week and with red lines I've marked IE7 and IE8 releases as stated by Wikipedia. As you can see, there doesn't seem to be much of a pattern so I suppose my concerns
we're unfounded. I use it for both work and non-work purposes and my use of Delicious isn't that consistent so I don't think it would be easy to find a pattern like I was thinking about. Perhaps if
many people from my project used Delicious and that data could be compared together it might be easier.
For fun I looked at my
posts per day of week which starts off strong on Mondays and decreases as the
week goes on, and my
posts per hour of day. It looks like I mostly post around lunch and on the extremes I've
only posted very late at night twice at 4am:
converting media for the Zune, and
Penn's archive of articles. In the morning at 7am I've posted only once:
document
introducing SGML.
manyeyes graph cryptonomicon delicious 2008 May 2, 10:20
![[The cover of Cryptonomicon]](http://images.amazon.com/images/P/0380788624.01._SX140_SCLZZZZZZZ_.jpg)
![[The cover of Quicksilver]](http://images.amazon.com/images/P/0060593083.01._SX140_SCLZZZZZZZ_.jpg)
![[The cover of The Confusion]](http://images.amazon.com/images/P/0060733357.01._SX140_SCLZZZZZZZ_.jpg)
![[The cover of The System of the World]](http://images.amazon.com/images/P/0060750863.01._SX140_SCLZZZZZZZ_.jpg)
I've finally finished the Baroque Cycle, a historical fiction series set in the 17th and 18th centuries by Neal Stephenson whose work I
always enjoy. There were often delays where I'd forget about the books until I had to take plane somewhere, or get discouraged reading about the character's thoughts on economics, or have
difficulty finding the next volume, or become more engrossed in other books, projects or video games, and leave the Baroque Cycle books untouched for many months at a time. Consequently, my reading
of this series has, I'm ashamed to say, spanned years. After finishing some books which I enjoy I end up hungry for just a bit more to read. For this series I don't need a bit more to read, I'm
done with that, but I do want a badge or maybe a medal. Or barring that, college credit in European History and Macro Economics. I can recommend this book to anyone who has enjoyed Neal
Stephenson's other work and has a few years of free time to kill.
history neal stephenson baroque cycle book nontechnical 2008 Jan 25, 1:49Article on consumer electronics waste, recycling, and associated companies.
via:ethan_t_hein article electronics recycle nytimes cellphone phone 2007 Dec 27, 3:36Mark Liberman suggests the paper on which recent articles like "Humor Develops From Aggression Caused By Male Hormones, Professor Says" was a joke. The paper is based on determitologist's notes on
reactions to his unicycle riding.
article blog language language-log mark-liberman sam-shuster science unicycle humor bad-science 2007 Aug 6, 4:07I've moved from my previous apartment in Redmond into Sarah's condo in Kirkland. Over the past week I'd been coming home from work and packing and sorting all of my belongings. Everything had a few
destination options:
- Sarah's condo
- Storage
- My office
- Recycle/Donate
I donated two carts of computer related junk (two CRTs, two desktops, six laptops, untold number of cables, piles of network and sound cards, etc) to
RE-PC and
six garbage bags of clothing that I either never wear or into which I have worn holes into friendly looking clothing donation bins. Of course I still need to find some place to get rid of my 15 inch
CRT TV, VCR, DVD player, and X-Box. I finally emptied my bags of coins that had been collecting for about seven years (one of the bags was from my college orientation) through Coinstar and got ~$160.
Some items seemed to fit very well at work like my
satirical RIAA propaganda poster and my
Darth Vader Nutcracker. This past weekend I had movers come and actually move my furniture. Most of its now in storage except for
my living room which is moved into Sarah's second bedroom. Now all I have to do is unpack...
move personal repc recycle nontechnical 2007 Jul 31, 3:09RE-PC takes computer and computer hardware related (cables, printers, etc etc) donations and either recycles them via refurbishing and reselling or recycling the components of the dontations through
enviro. friendly means.
hardware seattle pc recycle shopping purchase donate
Some rights reserved