Aaron Toponce ⚛️ @atoponce@fosstodon.org

For my birthday, I'm doing a charity 53K run supporting Utah Foster Care.

I chose Utah Foster Care, because I want to help kids find connection, safety, and hope.

I’m hoping to raise $500 by June 9. If met, XMission will match your $500.

https://givebutter.com/Aaronsbirthdayrun

Here's my re- #introduction

I'm Aaron Toponce, security researcher, Linux system administrator, cryptography hobbyist, marathon runner, bookworm, coffee nerd, and exmormon.

I wrote the ZFS administration guide at https://pthree.org/category/zfs. I guest lecture at a couple local universities regarding random number generator design. I also contract teach Red Hat certification courses as time permits.

I'm a novice developer, competent in Python and JavaScript, while learning Rust.

No politics here.

Awesome Hacker Search Engines

A list of search engines useful during Penetration testing, vulnerability assessments, red team operations, bug bounty and more

https://github.com/edoardottt/awesome-hacker-search-engines

It's crazy how slow this is, but better done right than hurried.

Almost caught up with the 5.x series of patches, then I need to go through the 1.3, 2.*, and 3.x series to make sure I did everything correctly.

Once I know I have every patch, and I can recreate the current random.c from 1.3 I'll probably put this up on GitHub.

CafePress fined $500,000 by the FTC for covering up a data breach impacting more than 23 million customers and failing to protect their data.

They had a history for security breaches and sloppy security practices going back to 2018.

The takeaway?

- Monitor your IDS.
- Run pentests.
- Fix vulnerabilities.
- Patch systems.
- Perform regular audits.

https://www.bleepingcomputer.com/news/security/cafepress-fined-500-000-for-breach-affecting-23-million-users/

Interactive UNIX - So Powerful It Can't Be a PC

"Just Say No to SCO." Count me in!

https://computeradsfromthepast.substack.com/p/interactive-unix

Firefox uses the ~/.mozilla/ directory instead of the Freedesktop.org XDG specification when saving data in your home dir.

So here's an 18 year old bug.

https://bugzilla.mozilla.org/show_bug.cgi?id=259356

(Notice also that Google allows the 0x20 whitespace character in passwords.)

Just because a service provider has password length maximums, does not imply that they are storing your password in plaintext (Unix descrypt has an 8 character max).

Case in point, Google caps their password lengths to 100 charaacters, as shown in these screenshots.

Probably getting close to a new webpassgen release.

I should probably make sure any pushes that also need to be applied to its nodepassgen sister project get applied.

What would SQLite look like if it were written in Rust?

https://github.com/joaoh82/rust_sqlite

multihash - self describing hashes for future-proofing.

https://github.com/multiformats/multihash

ffsend - an end-to-end encrypted CLI Send client.

https://github.com/timvisee/ffsend

SMS phishing is way too easy.

https://www.bejarano.io/sms-phishing/

Anyway, that's all I got.

Recording screencasts in GNOME sucks BTW.

Why use mouse randomness at all?

I can think of a couple reasons. You don't trust the system RNG is sufficiently seeded. Or you worry the system RNG is backdoored, but it's not actively compromising userspace applications.

It *is* a bit "90s crypto" however.

Some observations:

- bitaddress\.org using RC4 probably should be replaced. Spritz is an easy drop-in replacement.
- All except webpassgen make unfounded assumptions about entropy.
- All projects are mixing in the x-y coords with the system CSPRNG (except bitaddress\.org).

Finally, my project webpassgen.

This generates an animated bitmap using crypto.genRandomValues(). The pixel value at the x-y coord is added to a pool, then von Neumann debiased.

When generating passwords, the entropy is mixed with crypto.genRandomValues() with XOR.

Now VeraCrypt.

It falls victim to the /dev/random vs /dev/urandom myth as it first builds a pool with data from /dev/urandom, then appends data from /dev/random, then finally appends x-y coords equal to the hash bit size.

The final pool is hashed with the selected hash.

PuTTYgen comes next.

The GUI is a Windows-only application, as puttygen(1) on Unix is a CLI. I'm using Wine here.

This is unique in that it sets up 32 Fortuna collectors and populates each with CryptGenRandom. The x-y coords are then mixed with XOR and finalized with SHA-256.