Quote of the GET: A computer lets you make more mistakes faster than any invention in human history–with the possible exceptions of handguns and tequila. Mitch Radcliffe
Since I am a housewife (i.e. since I live on my own) my concerns have been extended to foreign horizons, such as taming dust and lint. All my network devices and wires has a particular magnetism for them. To make things worse, the devices cleaning is quiet hard.
So, I decide to boxing them. All you need is a big tupperware and few rubber bands. Here is the process to build it:
Privacy at Facebook is heavy-duty. As a big fan of the Worlds Collide Theory I hate be tagged compulsively. I would like to select in which photos appear in my profile and feed. Since I couldn’t find that option in the setting menu, I looked for the answer in my favorite scripting language: Python.
This 60-lines-long script removes your tag from the latests photos where you has been labelled. You can download it from here. You may run it hourly (or every 15 minutes, or every 5 minutes, depends how paranoid you are) via cron or whatever.
Any improvement is welcome. It probably runs on Windows too. If you managed to do it, leave a comment for the others.
If I say “I got the third place in a scholarship application”, it doesn’t look bad.
But there is money only for the first two persons. Sometimes, close is not enough. So, without money, I won’t be able to study in Europe… damn…
Maybe next year… maybe not.
Note: The application was, as you can see, for a doctoral scholarship in Spain… my broken English has no effect here…
Some days ago, my new camera arrived. I bougth it via Amazon and the parents of a friend brought it to my country.
The selected model was a Canon PowerShot SX110 IS. My last camera was a Canon PowerShot A700. It has been in service since April 2006, until a terrible fall ended with its nice capability of taking good pictures, during the 25C3 in Berlin.
Yes, it’s me again with this DSA-1571 exploitation issue. The discovery, explanation and exploitation of the bug is now part of my final coursework for my postgraduate degree career. So, yes… sorry.
Some weeks ago I started suspecting about the attack to PFS in SSL with EDH. The key point is: the key space is dependent of the PRNG state. The bug affects the initialization of the PRNG, but the random string has not a pattern by it self. If you ask for many random numbers to the PRNG, you gonna get numbers that differ among them, since they are the output of a hash function of them self. So each random number depends on, besides the PID, the state of the PRNG pool in the moment (in other words, amount of bytes that you already pull from the PRNG pool before)
The explained attack was based in a fixed list of private exponents (which are selected randomly during the DHE handshake), presupposing that all the application call RAND_bytes() the same number of times before get it. To make the list of exponent I ran the openssl s_client with all the possible PIDs, hoping that all the applications behaves the same way.
After more tests I notice that that was an overgeneralization. The proof is in the pudding: wget and cURL, two simple CLI file retrievers, gets different exponent between them, even running with the same PID.
I was working on this when I accidentally found a really nice Eric Rescorla’s post which is deeply related with this. The post goes further and analyzes the interaction between how Apache forks off and how it generates SSL handshakes.
for i in $(seq $((2**15)));
do
export MAGICPID=$i;
LD_LIBRARY_PATH="openssl.broken/" LD_PRELOAD="./getpid.so" \
wget --no-check-certificate https://localhost/ -q -O /dev/null ;
echo $i ;
done
As you can see, I used the HD Moore’s GetPID faker shared library and a normal local Apache with mod_ssl. The broken libssl (which is in .openssl.broken/) store up in /tmp/data.key a csv with command name, PID and all the DH components (g, x, y and p).
But this way is farly unconfortable for others SSL deamon servers. Have you got any better idea?
Digamos que este post solo tiene sentido si es visto desde mi antiguo gestor de blog. De todas formas decidí portarlo aquí por razones históricas.
Desde ya hace tiempo que tenía intensiones de irme de LiveJournal. No es que funcione mal. Es que simplemente tiene cosas que no me cuadran. Me la paso adaptándome a lo que puede darme (como el caso de hack para el bloguear en planet.debian.org) y tiene limitaciones de diseño. La publicidad que empezó a surgir a la derecha de la pantalla es la gota que derramó el vaso. No es solo antiestética, sino que si decido tener publicidad es porque espero cobrar por ella.
Dado que RaqLink puede proveerme un hosting gratuito y que otros amigos han ofrecido espacio y ancho de banda, decidí mudarme y tener mi propio Blog que dependa de mi mismo.
Así fue como me decidí por Wordpress. Es lindo, sencillo y flexible. Por otro lado, dudo de su seguridad. Y este último punto no es menor. Veremos que tal anda durante los próximos meses. Si da mucho problema… volará por otra opción. Escucho opciones.
Una cosa es segura. No más LiveJournal. Este blog (es decir, lbello.livejournal.com) deja de existir como tal. Puedes acceder al nuevo en www.lucianobello.com.ar. Todos los post antiguos está migrados. Incluso los comentarios. En la pasada se han perdido los tags y el threading de los comentarios. Los primeros irán emergiendo con el correr del tiempo y de mi ratos libros. El segundo está definitivamente perdido. Aunque los nuevos comentarios si pueden anidarse, los viejos han quedado planos.
At this point, all of you should know and see how the H D Moore’s toys work. Those toys attack SSH public-key authentication using clone keys and online brute force.
Furthermore, many of you know that there are other effects produced by a biased PRNG besides this one.
Let’s put it in plain words (if you know what we are talking about, ignore this and jump to the next heading):
In an insecure communications channel the parties agree a common key to cipher their dialog. This is what happens in SSL (in most of the cases, depending on the cipher suite):
The server selects a random primep and a generator g of the fieldZ*p (Let’s ignore the mathematical properties of these values). So, the components p and g are public.
The server picks a secret random number Xs and calculates Ys=gXs mod p. Ys is public and is sent to the client (just like p and g).
The client does something similar, selecting a secret random number Xc and calculating Yc=gXc mod p too. The client makes Yc public by sending it to the server.
The shared secret s is the public key of the other part to the exponential of the own private number, all in p modulus. That is, for the client s=YsXcmod p and for the server s=YcXsmod p.
With this shared secret the parties can encrypt all the following messages in a secure way.
In the Ephemeral Diffie Hellman (EDH), the private numbers are ruled out, so s is mathematically secure and nobody can obtain it even having access to one of the parties after the aforementioned handshake.
The “exploit”
If an eavesdropper can explore the complete private key space (the all possible numbers for Xc or Xs), he/she will be able to get access to the shared secret. With it all the communication can be deciphered. That’s what this patch can do.
A Wireshark with this patch and a list of possible private keys will try to brute force the share secret. If one of the parties is using the vulnerable OpenSSL package the communication is totally insecure and will be decrypted.
Debian packages with the patch applied can be found here.
This is a list of all 215 possible 64 and 128 bit DH private keys in systems vulnerable to the predictable OpenSSL PRNG described by DSA-1571.
An example of a pcap file can be found here (it was built with a vulnerable client and one of the Moore toys, a hacked getpid by running $ MAGICPID=101 LD_PRELOAD=‘getpid.so’ ./vulnerable-openssl/apps/openssl s_client -connect db.debian.org:443 )
We (the other developers and myself) detected few things to be improved. But we will do nothing for them. So, if you want to contribute with some code, start from these items and submit the patches to the Wireshark’s bugzilla:
When the packets are out-of-order the decipher with stop itself.
The brute force attack should run in a background process (and with a progres bar)
Check the length of the keys before trying to brute force them.
The patch also implements the display of public DH parameters in the packet tree. It’s incomplete.
Credits
Paolo Abeni <paolo.abeni at email.it>
Luciano Bello <luciano at debian.org>
Maximiliano Bertacchini <mbertacchini at citefa.gov.ar>
This work was partially supported by Si6 Labs at CITEFA, Argentina.
UPDATE Jul. 21st: See more and updated info here, especially this.
Warning: read the last update first. No more contributions are needed :D
The last weeks have been very active. A lot of e-mails from people and magazines, a lot of congratulations and a lot of free beer made me feel like a rock star :) Thanks a lot to everyone. I really appreciated that.
And maybe this petition would sound you like an abuse of this situation. And maybe you are right.
I’ve been accepted to explain the Debian/OpenSSL problem and I’m dying to be there. If you work for a company which is looking for a nice way to say “thank you”, please consider this option :)
update (13 minutes later): I just received confirmation from the Black Hat organization to be an alternative speaker there too! So I will need to fund 5 extra nights… :D
update (Jun. 6th): I already have a sponsor! :D. Thanks a lot to all the contributors/mentors/impeller ppl, especially to physical people for the monetary-small-but-emotionally-significant colaborations: Juan Tula and Alejandra García.
Well, maybe I was a little noisy with my first DSA. I will try to be quieter next time :)
I think that many people are being very unfair with the OpenSSL’s maintainers. They made (and are making) a really good job. Was an accident, that things happens.
What we need is a real auditory process of the Debian specific patches. It’s hard, but it’s necessary.
Better than just a party, it’s a bug squashing party! Imagemagickneeds your help. It a very important package for Debian and its really outdated. It has more than 100 bugs.
The objective, is to reduce the bugs to less than 20 in a month in in the version in development. Let’s go for them! :)
Some months ago, I commented about a weak implementation in a fancy captcha. Today I would like to comment about other bad implementations, but in other ways.
The good
A captcha should have big Shannon entropy, finite, but big. The session ID and the challenge must not be reused. The images must be resistant to OCR but should be understandable by a human.
The bad
Here is the first example:
Believe it or not.. This is a real case. So incredible eh?
The ugly
The victim, in this case, is this one:
This is an implementation of captchanumbers, by Hadar Porat. This captcha and many others generated by captchanumbers are weak and can be read with this script.
The idea is simple. As the numbers are nearly in the same place, they can be cut. Those parts can compared independently, reducing the entropy. May be the script and this image would be more enlightening than my limited English:
The 10,000 possibilities was reduced to 159. No OCR, 100% deterministic.
Second moral: Understand the fundamentals first, write code later.
microluciano: has a mail saying "Unfortunately we have to inform you that the scholarships have been awarded to other candidates" -- D'oh!
Updated Tue, 06 Jul 2010 23:40:24 +0000
microluciano: nuevo post en www.lucianobello.com.ar: disección perfecta de polígonos for dummies http://tinyurl.com/diseccion
Updated Tue, 15 Jun 2010 21:49:21 +0000
microluciano: paper of the week: A Model for Delimited Information Release (2004), by Sabelfeld and Myers
Updated Tue, 15 Jun 2010 15:28:58 +0000
microluciano: got a nice whiteboard. Studing now is funnier! http://twitpic.com/1oi5lt
Updated Mon, 17 May 2010 02:58:42 +0000
microluciano: preparing a class about Subtyping, for the "Type Systems for Programming Languages" course
Updated Fri, 14 May 2010 14:39:34 +0000
microluciano: is now officially part of the Debian Security team :)
Updated Thu, 22 Apr 2010 18:59:35 +0000
microluciano: take part of the.most.biggest.gamest.in.the.worldst.com.ar !
Updated Thu, 01 Apr 2010 15:22:01 +0000
microluciano: is feeling a bit dizzy and confused after his first class of "types for programming languages"...
Updated Tue, 30 Mar 2010 17:30:31 +0000
microluciano: A neutron walks into a bar and asks, "How much for a drink?" The bartender says, "For you? No charge." #TBBT
Updated Fri, 26 Mar 2010 14:37:23 +0000
microluciano: new at http://www.couchsurfing.org/people/microluciano
Updated Tue, 23 Mar 2010 18:44:12 +0000
microluciano: Colabora con la ciencia, se parte de ella y dedica 10 minutos a http://www.citefa.gov.ar/si6/k-profiler/ . RT por favor.
Updated Mon, 22 Mar 2010 12:38:38 +0000
microluciano: @ #pycamp!
Updated Fri, 05 Mar 2010 20:00:37 +0000
microluciano: RT @holesec: Libro: Ethical Hacking - Un Enfoque Metodologico para Profesionales. http://bit.ly/dg65NL todo una mezcla de perfiles de lo ...
Updated Thu, 04 Mar 2010 13:24:25 +0000
microluciano: el autodesignado organismo encargado de "matricular a los idóneos" informáticos de Buenos Aires da vergüenza http://bit.ly/9SmCJR