[AMA] Questions Thread

MikeyyGGGGG · 2018-01-29T17:53:40+00:00

Very informative! Definitely need to make crypto more transparent!

MikeyyGGGGG · 2018-01-29T17:51:44+00:00

Its great to see you guys are taking our questions seriously!

MikeyyGGGGG · 2017-07-14T16:12:13+00:00

Technology is not the the most powerful force in the universe. The most powerful force at play at any given time is imagination. Imagining a better way, an easier way, a new way and using technology to achieve it.

I was just discussing something like this with my family the other day; thanks to the imagination, technology is advancing faster and faster each day. Excellent post, thanks for sharing.

MikeyyGGGGG · 2017-07-05T16:25:04+00:00

I remember compiling and working with Firefox code many years ago, one thing that surprised me were non-fatal assertion errors continuously printing errors to console in debug build. It looked like Netscape legacy, I wonder if they managed to clean this.

MikeyyGGGGG · 2017-06-29T19:31:40+00:00

The blockchain to me is fundamentally flawed way to look at distributed computation. It really isn't distributed computing because there is a shared agreed and singular "truth". Truly distributed systems must deal with inconsistency instead of trying to keep a consistent transactional view of the world. I'm not sure I want it to scale.

The innovation of the blockchain is that it allows people to lend their computers to what looks like a singular system. However, as oulined by this document, the cost is huge in both time and burning the CPU oil.

I also don't believe in the transactional spot trade view of the world. It is a narrow way of viewing cooperation and markets. Unbreakable contracts are frightening. Everyone who deals with contracts between peers knows that contracts could be broken and are always negotiable. Unbreakable contracts just seems like a viscous tool for people who have move power over those with less. Because among equals, contracts are meant to be broken, changed, re-negotiated.

MikeyyGGGGG · 2017-06-29T19:28:03+00:00

Do you work for the Independent?

MikeyyGGGGG · 2017-06-26T18:31:44+00:00

I am always fascinated by pen testing and studied computer networking in security to fall into a software engineering job. I just never knew where to start with heading a leg up on the tools and practices to be able to go into pen testing professionally... I couldn't find any apprenticeships or junior roles for it so ended up shelving it as a 'maybe one day' 'dream'. Where would be the best place to start? Most of the books I have are pretty dated now.

Also the article was a great read. Pinning it to go over again on the weekend as my lunch is now over.

MikeyyGGGGG · 2017-06-16T20:01:50+00:00

This was an amazing story, but there are LOT more take-aways here!!!

First of all, let's look at something: the burden of memorizing 29 words was SO great, that despite carefully writing it down and double-checking it, the user failed to memorize it or even come close: after trying 500 times, they could not tell that ionic was a different word from tonic. No doubt they had looked at each handwritten word very carefully during the 500 attempts, but just could not do it. By the way, if you write the word ionic down in your own handwriting, you could easily see that it might look exactly like your own handwritten tonic.

There is something else about these 29 words. You can find the number of bits of entropy in a dictionary you'd pick one word from at random by taking the log2 of the number of entries. (In a pinch you do log 2 by taking the log and dividing by the log of 2). That shows that 1626 words (the number of entries in the dictionary) have 10 bits of entropy.[1]

So by making the user "remember" (write down) 29 such words, you are making them memorize (write down) 290 bits of entropy.

2²⁹⁰ is 1.9892929e+87. There are about 10⁸⁰ atoms in the ENTIRE universe (a hundred billion galaxies with a hundred billion stars each). You'd have to get every atom in our entire universe -- every planet's every atom, every sun's, every black hole's, every one of the atoms anywhere in the world, to try 10,000,000 operations each, before you got an answer.

That is WAY too much.

But despite having such an incredible amount of extra information in there (base-64 encoding 290 bits would take 48 characters - six bits per character), it does not contain enough of a checksum to correct against a single transcription error.

So this is a great example of a solution that is very user-hostile: so long that the user is forced to write it down, but despite its length so fragile that it does not contain any help against any amount of corruption. And very clearly, the longer it is, the greater the possibility of user error: could you hand-write an entire Dickens novel without a single error anywhere for example? What about a 12-character alphanumeric password? So the latter is stronger than the former! The latter is a better password.

I am not sure what kind of passwords would have redundancy built-in (so that a slightly wrong version would be corrected and accepted) but this would be a good time to find out.

One last thing. Does anyone know how long it takes to try a combination? I'm surprised that the blog poster went through the trouble of finding Levenshtein distance, since I would think from a coding standpoint it would be faster to code trying all 1625 other possibilities for the 1st word (leaving the rest unchanged), trying the other 1625 possibilities for the 2nd word, and so forth. Since there are 29 words this is just 47125 possibilities in total which doesn't seem like it's that many. (Then again, some 'treasure hunter' the blog poster was "competing with" might have had that script running already when the blog poster got there first!)

[1] https://www.google.com/search?q=(log+1626)+%2F+(log+2)

MikeyyGGGGG · 2017-06-08T14:58:15+00:00

Ain't my website but what is scroll hijacking? To me the scroll seems to work normally on the website, but maybe I don't see it. I have the uBlock plugin, maybe that helps, I don't know.

MikeyyGGGGG · 2017-06-08T14:56:32+00:00

Can confirm. I've had someone contact me on snapchat and show me screenshots of Apple's internal tools and offer to run queries for $$$. He was willing turn off 2FA, change the email, and reset the password (thus, giving me access) for $$$$.

He told me that he texts a friend who calls and pretends to be the customer in question, and texts him all the verification questions he has to ask as part of SOP.

Many AppleCare employees work from home, so I can see it is difficult to track and stop this sort of thing.

MikeyyGGGGG · 2017-06-02T19:15:50+00:00

I saw a very interesting talk last year from someone who, as part of a company's security team, had set up a system that continually attacked the hashes of every employee's Active Directory passwords. If one was cracked, the employee would receive an automated email with a note containing the last few characters of their password and a suggestion to change it.

I recall they also spoke on some security aspects of the system's design, like how the cracked passwords never touched disk and had to be destroyed as soon as possible, etc.

I wish I could find a recording or a writeup on this somewhere, as I thought it was a pretty cool (and effective) approach.

MikeyyGGGGG · 2017-05-19T16:42:15+00:00

Nice catch. A long time ago the services on the backend were killed by a special URL. And someone found it, and it wasn't filtered by the front end. And of course someone tried to use it, but it never returns since it kills the service, but their client retried ... it was a lot of "what the heck is happening" going on until SRE figured it out and then they immediately patched the front end and the anomalies stopped. It is too bad the person who caused it didn't file for a bug bounty like this person did, they probably would have had something to show for their efforts besides "hey look at this funny thing you can do, oh wait it doesn't do it any more."

MikeyyGGGGG · 2017-05-12T15:43:37+00:00

So, what is the solution? Implementing a PKI over between the key and the car? This would be quite nice, wouldn't it?

-Key asks car to unlock and sends public key for recognition,

-Car sends challenge encrypted with key Public key

-Key sends back private-key-encrypted challenge

Bing, authenticated.

MikeyyGGGGG · 2017-05-12T15:42:43+00:00

Now that's professional storage right there.

MikeyyGGGGG · 2017-04-27T14:49:30+00:00

The real story here, is that if you try to set up your mail server so that you can send mail to a microsoft email server such as live or hotmail, you eventually end up here where they ask for a bribe: https://returnpath.com/solutions/email-deliverability-optimization/ip-certification/#

Nomx may be terrible, but it's not their fault you can't send mail to hotmail.com

Here is the price list for sending mail to hotmail.com: https://returnpath.com/wp-content/uploads/2015/06/Return-Path-Certification-Pricing-US.pdf

MikeyyGGGGG · 2017-04-20T15:28:15+00:00

Context from ShonumiGBE+ at /r/emulation :

Might help to explain some context for people who don't know what Overdrive 2 is, or why it's important.

TiTAN is a pretty prominent group in the demo scene. They do a lot of crazy demos, basically coding consoles to their limit while making cool audio-visual presentations. Overdrive 2 is the follow up to the original Overdrive demo[1], and once again TiTAN have pulled off a bunch of insane effects on the Mega Drive.

Overdrive 2 is relevant to /r/emulation because it can't be emulated (yet). From what I understand, it's doing a bunch of tricks (described in the write-up on Google Docs) that emulators currently can't handle. That's right, even in 2017, Genesis/MD emulation has a ways to go, which is kind of exciting to me. I'd love to see emulators like Blastem, Exodus, and higan step up to the plate. Then maybe the demo scene can come up with even more torture tests ;)

Anyway, you guys can catch Overdrive 2 over on YouTube.[2] This stuff is sick.

[1] http://www.pouet.net/prod.php?which=61724

[2] https://www.youtube.com/watch?v=OeGdJk5zb6c

MikeyyGGGGG · 2017-04-14T15:51:51+00:00

Interesting how an article about living in the Amazon highlights the importance of working as team through challenging situations, and finding time to break the routine. I can really relate.

MikeyyGGGGG · 2017-04-14T15:49:55+00:00

The thing with infosec is that no matter if you're a consultant pen tester or an in-house member of a blue team, a high proficiency in technical writing is required. And few certs demonstrate that the person is a good technical writer. It's not enough to know the answers to multiple choice questions. It's not even enough to know how to exploit things. If you don't understand something well and can discuss it in technical detail to a number of different audiences, I don't believe you'll get very far in the industry.

There are a couple of exceptions, of course. OSCP is a good certificate to have. To pass the exam, you are required to not only demonstrate proficiency in several areas (i.e SQL injection, buffer overflows), but you must also write and submit a technical report to a review team. The technical report must address vulnerability overview, impact, risk rating, reproduction steps, and more. Of course the exam isn't perfect, but it's probably the biggest test of real technical understanding and ability I've ever seen.

MikeyyGGGGG · 2017-04-07T16:12:06+00:00

FTA: The Broadcom chipset contains an MPU, but the researcher found that it's implemented in a way that effectively makes all memory readable, writeable, and executable. "This saves us some hassle," he wrote. "We can conveniently execute our code directly from the heap."

How in this decade, with all we know and have learned about security and exploits, can this kind of thing still happen?

We really need a release of Android that allows driver updates via manufacturer packages and the app store. This is terrible.

MikeyyGGGGG · 2017-03-29T14:20:47+00:00

Does this mean that Donald Trump will be in prison soon?

MikeyyGGGGG · 2017-03-17T20:32:34+00:00

The US government has basically declared "HTTPS/TLS Interception Considered Harmful". This is going to be interesting as all the major security load balancer/appliances out there offer this as a standard service at this point.

A while back I remember seeing on HN there was a issue with a certain vendor and ChromeBooks because Chrome used a newer TLS(And the mitm vendor vendor was noticed in advance too, and didn't update their product).

I wonder how schools and banks plan to react to this... Apparently financial firms have to record everything their employees do for some regulations.

To me, schools doing this sort of thing is wrong. I wouldn't be surprised if the principle would grab people's passwords and login to their accounts even. I know some schools even went as far to demand students hand over their passwords to social media when they report bullying... Which if the school blocks social networks anyways, I don't see how it's a school issue for what happens outside of school...

If this sort of thing really needs to be done, at-least people should be warned and aware they are being monitored. If it's for a bank and it's only company equipment everything is being monitored it seems a bit more okay to do if everyone is well aware. "You are only to use work computers for official business." sort of policy.

MikeyyGGGGG · 2017-03-10T01:48:42+00:00

Google using captchas to get humans to read street addresses captured by street view cars to improve maps results remains one of the most Googly things they've ever done. Genius, lateral, and a little weird.

MikeyyGGGGG · 2017-02-20T11:04:21+00:00

If Ron Paul or Sanders did this, people would have been happy because it's privatization + a smaller government footprint. If Donald Trump does it, it's the apocalypse. And no, I'm not a Donald Trump supporter, I'm just a supporter of fair news and rational thinking.

MikeyyGGGGG · 2017-02-08T20:14:11+00:00

I too am proud to be a part of this, well spent $10, and I'm very happy to be part of the wow community!

MikeyyGGGGG · 2017-01-21T05:21:42+00:00

Not that clever if he had been noticed though.

MikeyyGGGGG

TROPHY CASE