Pinned post

For my birthday, I'm doing a charity 53K run supporting Utah Foster Care.

I chose Utah Foster Care, because I want to help kids find connection, safety, and hope.

I’m hoping to raise $500 by June 9. If met, XMission will match your $500.

Pinned post

Here's my re-

I'm Aaron Toponce, security researcher, Linux system administrator, cryptography hobbyist, marathon runner, bookworm, coffee nerd, and exmormon.

I wrote the ZFS administration guide at I guest lecture at a couple local universities regarding random number generator design. I also contract teach Red Hat certification courses as time permits.

I'm a novice developer, competent in Python and JavaScript, while learning Rust.

No politics here.

Awesome Hacker Search Engines

A list of search engines useful during Penetration testing, vulnerability assessments, red team operations, bug bounty and more

It's crazy how slow this is, but better done right than hurried.

Show thread

Almost caught up with the 5.x series of patches, then I need to go through the 1.3, 2.*, and 3.x series to make sure I did everything correctly.

Once I know I have every patch, and I can recreate the current random.c from 1.3 I'll probably put this up on GitHub.

Show thread

CafePress fined $500,000 by the FTC for covering up a data breach impacting more than 23 million customers and failing to protect their data.

They had a history for security breaches and sloppy security practices going back to 2018.

The takeaway?

- Monitor your IDS.
- Run pentests.
- Fix vulnerabilities.
- Patch systems.
- Perform regular audits.

Firefox uses the ~/.mozilla/ directory instead of the XDG specification when saving data in your home dir.

So here's an 18 year old bug.

(Notice also that Google allows the 0x20 whitespace character in passwords.)

Show thread

Just because a service provider has password length maximums, does not imply that they are storing your password in plaintext (Unix descrypt has an 8 character max).

Case in point, Google caps their password lengths to 100 charaacters, as shown in these screenshots.

Probably getting close to a new webpassgen release.

I should probably make sure any pushes that also need to be applied to its nodepassgen sister project get applied.

Anyway, that's all I got.

Recording screencasts in GNOME sucks BTW.

Show thread

Why use mouse randomness at all?

I can think of a couple reasons. You don't trust the system RNG is sufficiently seeded. Or you worry the system RNG is backdoored, but it's not actively compromising userspace applications.

It *is* a bit "90s crypto" however.

Show thread

Some observations:

- bitaddress\.org using RC4 probably should be replaced. Spritz is an easy drop-in replacement.
- All except webpassgen make unfounded assumptions about entropy.
- All projects are mixing in the x-y coords with the system CSPRNG (except bitaddress\.org).

Show thread

Finally, my project webpassgen.

This generates an animated bitmap using crypto.genRandomValues(). The pixel value at the x-y coord is added to a pool, then von Neumann debiased.

When generating passwords, the entropy is mixed with crypto.genRandomValues() with XOR.

Show thread

Now VeraCrypt.

It falls victim to the /dev/random vs /dev/urandom myth as it first builds a pool with data from /dev/urandom, then appends data from /dev/random, then finally appends x-y coords equal to the hash bit size.

The final pool is hashed with the selected hash.

Show thread

PuTTYgen comes next.

The GUI is a Windows-only application, as puttygen(1) on Unix is a CLI. I'm using Wine here.

This is unique in that it sets up 32 Fortuna collectors and populates each with CryptGenRandom. The x-y coords are then mixed with XOR and finalized with SHA-256.

Show thread
Show older

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.