Blog‎ > ‎

33C3 notes & keywords part 4

posted Mar 12, 2017, 7:04 AM by Sami Lehtinen   [ updated Mar 12, 2017, 7:04 AM ]
  • It's nice that they'll provide mp4 and web downloads for these videos, with sd / hd quality. I don't have problems streaming the videos, but in some parts of world there might be problems with video streams with high bandwidth. Therefor it's really nice to provide download link, so watcher can leave downloads over night etc, and avoid the totally enraging buffering pauses. Which of course can be absolutely horrible, if you got seriously low bandwidth. Like watching 1 h video might take 24 hours.
  • A look into the mobile messaging black box - Secure Mobile Messaging. Conversation, Private, Confidentiality, Authenticity, Integrity, Forward Secrecy, Future Secrecy, Deniability. Key, Plain Text, Crypto (Cipher), Cipherext. Symmetric Encryption. Asymmetric Encryption. Now with two separate keys, one to encrypt/verify (public key) and another to decrypt/sign (private / secret key). Also known as Public-Key Cryptography. All of this is very familiar, but it's really nice that they go through it to make things easier to understand for everyone. Crypto Nerds, haha. Key Establishment. Key compromise, key renegotiation. Key Management Issues. Haha, no news. - Yeah, so annoying, some people just keep generating new keys and identities, and therefore can't be identified in the long rung using the 'trusted' keys. That just happens again and again. - End-to-End Encryption (E2EE). Padding. Threema's Secure Architecture. Cryptographic Public Key User Fingerprints. Salt / NaCl encryption library. Random, Nonce. Authentication packets. Long-Term Keys.
  • -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    Why this here? Just because I can. Haha.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2

    iF4EARYIAAYFAliGN/kACgkQ/NTQawK41CpdPAD/c8L2dc/gyTEzS17wmGWiAC3p
    nNlwQoF0X1/nheZcZLYA/Rhk++bbxB7K3P9lc/y6cfhhfCeTnkeFcoy3JEZwyccI
    =qrln
    -----END PGP SIGNATURE-----
    Here's also my full OpenPGP fingerprint A4F5 3032 18AA 5665 76B6  90AE FCD4 D06B 02B8 D42A.
  • How physicists analyze massive data: LHC + brain + ROOT = Higgs - Data and Uncertainties statistics. kw: Big Data, Data Analytics. Data Analysis, Open Data, Applied Science, Statistical Tools, Modeling, Significance, Multivariate, Graphics & Visualization, low level code, efficient code, cpu cycles, throughput, python, c++.
  • Lightning Talks Day 2 - Victim profiling, WiFi Security, Radio Device Regulation and EU regulation.
  • Tapping into the core - How devastatingly badly CPUs are protected from physical access attacks, like attacking system using USB interface. FLUXBABBITT, UEFI HII.
  • Hacking the world - The strugge for security for all.
  • Gone in 60 milliseconds - AWS Lamdba based 'server-less' framework. Yes, I added the quotes around the server-less. Pretty much similar to Google App Engine (GAE) which I'm very familiar with. Virtual, Private, Cloud. Cool. What a fail, popen. Hahah, with arbitrary user data. So much fail. Who would do that? It's also funny that 'server-less' platform's servers are vulnerable. Hahahah! AWS Identity and Access Management (IAM). Misconfiguration is really common.  Isolation and security is again weaker than claimed. SQS, Celery, SNS, SMS, S3, RDS, VPC, Lamda, DNS, Kinesis. Awesome, persistent backdoor, on platform which doesn't provide persistence. Also patching new updated and patched code to be backdoored again automatically. Just so cool. If function runs out of memory, it doesn't log anything. Awesome exploit. Synthesis, infection toolkit. - Intrustion and Exfiltration in Server-less Architectures. Server-less cloud != secure.
  • Wheel of Fortune - Let's see how predicateble 'random' can be. This will be interesting talk for sure. Reminds me from the DuckDuckGo random password generator, which provided collisions constantly on 16 character strings. Afaik that should be quite unlikely, but it still happened all the time. pow(26, 16) or 26 ^ 16 should make it pretty rare. It's more than 64 bit of entropy. Yet they still managed to produce those collisions by doing extremely bad coding. Classic embedded devices & boot time entropy issues. Everyone running 'empty vm' has quite surely experienced depletion of randomness on linux when generating new keys or something, which requires actually random numbers. Classic whine why GnuPG / OpenSSL private key generation takes so long. PRNG, Yarrow. QNX, Reseed, Dieharder.