Pinned post

For my birthday, I'm doing a charity 53K run supporting Utah Foster Care.

I chose Utah Foster Care, because I want to help kids find connection, safety, and hope.

I’m hoping to raise $500 by June 9. If met, XMission will match your $500.

givebutter.com/Aaronsbirthdayr

Pinned post

Here's my re-

I'm Aaron Toponce, security researcher, Linux system administrator, cryptography hobbyist, marathon runner, bookworm, coffee nerd, and exmormon.

I wrote the ZFS administration guide at pthree.org/category/zfs. I guest lecture at a couple local universities regarding random number generator design. I also contract teach Red Hat certification courses as time permits.

I'm a novice developer, competent in Python and JavaScript, while learning Rust.

No politics here.

Awesome Hacker Search Engines

A list of search engines useful during Penetration testing, vulnerability assessments, red team operations, bug bounty and more

github.com/edoardottt/awesome-

It's crazy how slow this is, but better done right than hurried.

Show thread

Almost caught up with the 5.x series of patches, then I need to go through the 1.3, 2.*, and 3.x series to make sure I did everything correctly.

Once I know I have every patch, and I can recreate the current random.c from 1.3 I'll probably put this up on GitHub.

Show thread

CafePress fined $500,000 by the FTC for covering up a data breach impacting more than 23 million customers and failing to protect their data.

They had a history for security breaches and sloppy security practices going back to 2018.

The takeaway?

- Monitor your IDS.
- Run pentests.
- Fix vulnerabilities.
- Patch systems.
- Perform regular audits.

bleepingcomputer.com/news/secu

Firefox uses the ~/.mozilla/ directory instead of the Freedesktop.org XDG specification when saving data in your home dir.

So here's an 18 year old bug.

bugzilla.mozilla.org/show_bug.

(Notice also that Google allows the 0x20 whitespace character in passwords.)

Show thread

Just because a service provider has password length maximums, does not imply that they are storing your password in plaintext (Unix descrypt has an 8 character max).

Case in point, Google caps their password lengths to 100 charaacters, as shown in these screenshots.

Probably getting close to a new webpassgen release.

I should probably make sure any pushes that also need to be applied to its nodepassgen sister project get applied.

Anyway, that's all I got.

Recording screencasts in GNOME sucks BTW.

Show thread

Why use mouse randomness at all?

I can think of a couple reasons. You don't trust the system RNG is sufficiently seeded. Or you worry the system RNG is backdoored, but it's not actively compromising userspace applications.

It *is* a bit "90s crypto" however.

Show thread

Some observations:

- bitaddress\.org using RC4 probably should be replaced. Spritz is an easy drop-in replacement.
- All except webpassgen make unfounded assumptions about entropy.
- All projects are mixing in the x-y coords with the system CSPRNG (except bitaddress\.org).

Show thread

Finally, my project webpassgen.

This generates an animated bitmap using crypto.genRandomValues(). The pixel value at the x-y coord is added to a pool, then von Neumann debiased.

When generating passwords, the entropy is mixed with crypto.genRandomValues() with XOR.

Show thread

Now VeraCrypt.

It falls victim to the /dev/random vs /dev/urandom myth as it first builds a pool with data from /dev/urandom, then appends data from /dev/random, then finally appends x-y coords equal to the hash bit size.

The final pool is hashed with the selected hash.

Show thread

PuTTYgen comes next.

The GUI is a Windows-only application, as puttygen(1) on Unix is a CLI. I'm using Wine here.

This is unique in that it sets up 32 Fortuna collectors and populates each with CryptGenRandom. The x-y coords are then mixed with XOR and finalized with SHA-256.

Show thread
Show older
Fosstodon

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.