For my birthday, I'm doing a charity 53K run supporting Utah Foster Care.
I chose Utah Foster Care, because I want to help kids find connection, safety, and hope.
I’m hoping to raise $500 by June 9. If met, XMission will match your $500.
Here's my re- #introduction
I'm Aaron Toponce, security researcher, Linux system administrator, cryptography hobbyist, marathon runner, bookworm, coffee nerd, and exmormon.
I wrote the ZFS administration guide at https://pthree.org/category/zfs. I guest lecture at a couple local universities regarding random number generator design. I also contract teach Red Hat certification courses as time permits.
I'm a novice developer, competent in Python and JavaScript, while learning Rust.
No politics here.
Awesome Hacker Search Engines
A list of search engines useful during Penetration testing, vulnerability assessments, red team operations, bug bounty and more
Almost caught up with the 5.x series of patches, then I need to go through the 1.3, 2.*, and 3.x series to make sure I did everything correctly.
Once I know I have every patch, and I can recreate the current random.c from 1.3 I'll probably put this up on GitHub.
CafePress fined $500,000 by the FTC for covering up a data breach impacting more than 23 million customers and failing to protect their data.
They had a history for security breaches and sloppy security practices going back to 2018.
The takeaway?
- Monitor your IDS.
- Run pentests.
- Fix vulnerabilities.
- Patch systems.
- Perform regular audits.
Interactive UNIX - So Powerful It Can't Be a PC
"Just Say No to SCO." Count me in!
https://computeradsfromthepast.substack.com/p/interactive-unix
Invictus Capital suspends withdrawals
June 22, 2022
https://web3isgoinggreat.com/?id=invictus-capital-suspends-withdrawals
Firefox uses the ~/.mozilla/ directory instead of the Freedesktop.org XDG specification when saving data in your home dir.
So here's an 18 year old bug.
What would SQLite look like if it were written in Rust?
multihash - self describing hashes for future-proofing.
ffsend - an end-to-end encrypted CLI Send client.
SMS phishing is way too easy.
Why use mouse randomness at all?
I can think of a couple reasons. You don't trust the system RNG is sufficiently seeded. Or you worry the system RNG is backdoored, but it's not actively compromising userspace applications.
It *is* a bit "90s crypto" however.
Some observations:
- bitaddress\.org using RC4 probably should be replaced. Spritz is an easy drop-in replacement.
- All except webpassgen make unfounded assumptions about entropy.
- All projects are mixing in the x-y coords with the system CSPRNG (except bitaddress\.org).
Finally, my project webpassgen.
This generates an animated bitmap using crypto.genRandomValues(). The pixel value at the x-y coord is added to a pool, then von Neumann debiased.
When generating passwords, the entropy is mixed with crypto.genRandomValues() with XOR.
Now VeraCrypt.
It falls victim to the /dev/random vs /dev/urandom myth as it first builds a pool with data from /dev/urandom, then appends data from /dev/random, then finally appends x-y coords equal to the hash bit size.
The final pool is hashed with the selected hash.
PuTTYgen comes next.
The GUI is a Windows-only application, as puttygen(1) on Unix is a CLI. I'm using Wine here.
This is unique in that it sets up 32 Fortuna collectors and populates each with CryptGenRandom. The x-y coords are then mixed with XOR and finalized with SHA-256.
Cryptography, security, locksport, Linux, programming, mathematics, amateur radio, Buddhism, running, anime, bibliophilia.