aviewanew

- friends
2,720 link karma
7,253 comment karma
send messageredditor for
what's this?

TROPHY CASE


  • Two-Year Club

    Verified Email

r/HackBloc Holiday Bitcoin Fundraising Drive for Crypto.is by [deleted]in HackBloc

[–]aviewanew 1 point2 points ago

I'm @tjr on #cryptodotis, one of the other main participants. I don't want to go so far as to say they're scammers, but I will publicly go "Huh guys? Why not talk to us about this first"

I'm not sure how up to date this is (I think we've had a donation or two, and I'm no sure what money is actually cashed out and accessible and not in bitcoin/weepay), but here's our finances: https://public.sheet.zoho.com/public/sirvaliance/the-crypto-project-balance-sheet

We haven't really discussed this yet, but I expect that if we have the $ for a year's worth of expenses available (a year's worth of runway), excess would be used to run more services: tor, notaries, and/or remailers. Maybe a Tahoe Grid, but that one's tricky.

Thanks for everyone's interest though, the upvotes are very encouraging! Hopefully any donations made eventually wind up supporting us =)

Looking for a hex editor to analyze files by sirin3in ReverseEngineering

[–]aviewanew 7 points8 points ago

010 Editor. Not open source, but very good, and the best editor I've seen for opening large files (gigabyte size).

Nice how-to on factoring RSA512 by wtfomglolzin crypto

[–]aviewanew 1 point2 points ago

Thats me! If you have questions, feel free to ask and I'll get back to you in some indeterminate amount of time. (Probably quickly, but I'm heading on holiday soon, so no guarantees.)

Slide Attack Tutorial by jkthecjerin crypto

[–]aviewanew 0 points1 point ago

Awesome, good writeup. You should look at the recent stuff on GOST - Adi Shamir explained it in a lecture at MIT a bit ago I sat in on, and it was pretty easy to follow. It was one of those cases where a guy looked at GOST and was like, well... what if I do a slide attack, and then everyone went "Oh, duh!" and lots of cryptanalysis followed. It's a good practical demonstration of Slide Attacks that's not too hard to follow.

How to know what cipher is being used for IMAP over TLS? by memechaserin netsec

[–]aviewanew 0 points1 point ago

I heard a mention somewhere on a list that google uses RC4 for most of it's stuff because some of its cryptographers had mad feelings about CBC mode prior to BEAST being announced. (Maybe they switched in that pre-public-notice phase, but I'm not sure.)

Screencap from movie The Mechanic: Encrypted Message is *almost* actually legit. by aviewanewin crypto

[–]aviewanew[S] 7 points8 points ago

And to finish off the detective work: They copied the middle three lines and pasted them repetitively to fill up the whole page, and updated the date created to be more recent. Thanks!

Screencap from movie The Mechanic: Encrypted Message is *almost* actually legit. by aviewanewin crypto

[–]aviewanew[S] 6 points7 points ago

I briefly thought about typing this in so I could discover what email address they used to generate it... but no.

Can someone explain (or link to an explanation of) the math behind PKI? How can something be encrypted by one key but only decrypted by another key? by [deleted]in netsec

[–]aviewanew 2 points3 points ago

ElGamal is another public key cryptosystem, similar to RSA, but with different math. But it's not too difficult to follow. Here's my attempt at explaining it.

What is the correct response when one of "us" does something unethical? by jjharein netsec

[–]aviewanew 8 points9 points ago

I'm in NYC and never heard of this guy. Is he actually infosec? Or just another talking head who helps you 'secure' your organization with a bunch of interviews and never actually looking at a computer?

Is anyone using Convergence? What are you thoughts so far? by vampiricrogu3in netsec

[–]aviewanew 1 point2 points ago

If you want help setting up a notary or complaining about it's problems, we've got come experience: OFTC #cryptodotis

Iran forged the wrong SSL certificate by percivain netsec

[–]aviewanew 8 points9 points ago

Geez that's subtle. I'm wrapping my mind around it, because he didn't clarify. Here's my attempt.

Don't load the Google Analytics javascript when your site is accessed via HTTPS.

In other words, only load it over HTTP.

  • So, if your site only processes sensitive data over HTTPS - this protects you because if someone targeted ssl.google-analytics.com for middling they lose a foothold into your site. It doesn't protect you if they targeted you or any other 3rd party library you use.

  • If your site processes sensitive data over HTTP - this would let them still automatically middle your traffic and tamper it - but they'd be able to target you specifically even without GA because it's HTTP. It does make it more automatic-easy for them them.

  • If your site doesn't process sensitive data, but is still HTTPS-only - this protects users from other auto-inserted shenanigans (browser exploits, or a more esoteric attack like cross site printing).

  • If your site doesn't process sensitive data, but is partly/all HTTP - they would be able to deploy a mass-targeted shenanigan attack against your site, but again - they'd be able to do that do matter what because it's HTTP.

Or, and I haven't tested this or know if it works, you could come up with some hackish proxy system where you get the GA code on your server and pass it down, in which case no connection is made to ssl.google-analytics.com by the client. It may not work though - google might have javascript to check for this in the GA code, and while it is possible to rewrite the javascript on the server - defeating google's obfuscation and updates is probably not practical.

Also As far as I know, the list of certs targeted has not been fully revealed. Torproject was able to get some information. It's possible ssl.google-analytics.com was targeted.

Reason #50302 why I can't leave my desk unattended. by MoshingPandain pics

[–]aviewanew 1 point2 points ago

Open image.

Close image.

Wait a minute.

Open Image again.

Action figure is right... Keyboard is possible... Monitor stand is right... Desktop decorations are unknown. Time to check username!

Yup.

Hey Beef.

Volleyball. by laketrashin pics

[–]aviewanew 2 points3 points ago

sorry, this has been archived and can no longer be voted on

An easy to use crypto tool (with mobile interface) that a friend and I came up with: CryptBro! by lachiemxin crypto

[–]aviewanew 3 points4 points ago

sorry, this has been archived and can no longer be voted on

I've looked at a lot of these, even broken one when I had the time. I don't really like them.

BUT, for something I don't like and wouldn't use, this is one of the better ones. Couldn't find a reasonable flaw in the 5 minutes before my shower. I'll put a nickle on not using Ephemeral SSL keys though. =P

Since you seem to be a good developer, with a good sense of UI, what I'd really like to see, that'd get a lot more use, is a similar page but had a ton of algorithms, and showed the intermediate states as the encryption/decryption occurs, with test vectors. That'd be an interesting learning tool. I still haven't played with it much, but it might be something like an online http://www.cryptool.org/

LulzSec teams up with Anonymous "and all affiliated battleships" by sayharin netsec

[–]aviewanew 0 points1 point ago

sorry, this has been archived and can no longer be voted on

Anything's possible, but I'll tell weev tonight someone's speculating he's part of lulzsec. =P

Reverse engineering of the NSA's public key by isisgrimalkinin crypto

[–]aviewanew 1 point2 points ago

sorry, this has been archived and can no longer be voted on

So - yea, GPU factoring can speed things up. And msieve has GPU support for Polynomial Selection. But the problem is the rest of the tools. Writing your own siever or linear algebra-doing app would be super hard, like Doctoral Thesis-level hard, or harder. You'd have to implement Lanczos (which has a public implementation) or Wiedemann (which doesn't to my knowledge) which are themselves super-complicated. I've been told annecdotely that the author of the main implementation of Lanczos used (msieve) doesn't even understand how it works, he just gets it enough to implement it. And then you're getting into issues of fitting the whole thing in memory and whether or not the GPU efficiencies (doing the same operation N times in parallel) work with those algorithms. I like to hand-wave at things like this and say "The NSA has done it (or should have done it) but unless and until someone pays a half-dozen Math/CS PhD's for a couple years just for shits and giggles..."

Reverse engineering of the NSA's public key by isisgrimalkinin crypto

[–]aviewanew 0 points1 point ago

sorry, this has been archived and can no longer be voted on

That's not that lucky - the Linear Algebra takes ~22 hours, the Sieving, which is sped up by a good polynomial, takes only a couple and the rest of my 36 hours was a couple for poly selection, a couple for data transfer, and a couple leeway/whatever. Sieving can be parrallelized to 30 minutes in a local network really. I actually have a presentation about this - poly selection, sieving, and in general distributing any application easily over hundreds/thousands of machines - hoping it gets accepted at #days or ekoparty.

Reverse engineering of the NSA's public key by isisgrimalkinin crypto

[–]aviewanew 1 point2 points ago

sorry, this has been archived and can no longer be voted on

It's not a matter of 'getting lucky' - the GNFS is a 3-step process that you have to run to completion. I can factor a 512-bit key in ~36 hours (and have), but I'll never 'get lucky' and get it in 12 hours.

Trying to factor anything higher than... 300 bits or so without the GNFS won't work. I mean yea in theory you could 'get lucky' with trial division, but the odds are astronomically small.

view more: next