Centroid.EU Blog

(this blog is mostly encrypted - adults only)

Previous Page

Wiping Keys / Secrets (so important)

October 18th, 2014

I examined some software the other day that encrypts passwords. This particular software doesn't wipe it's master key after use on the stack, so I was able to write a proof-of-concept on my raspberry pi, that reads the key from the stack when the database is accessed. Not knowing which is the key though one must run through all offsets in the dumpfile in order to crack the database, but that shouldn't be expensive in processor time.

The authors of Cryptography Engineering, write about this too in section 21.10, that wiping keys after they are done with should be wiped "as soon as a secret is no longer needed".

Some security concious programs even store sensitive keys privsep'ed process and wipe as much as possible.

So lessons learned are:

  1. don't share your UNIX account with anyone else
  2. wipe keys when finished with them
  3. privsep keys when possible
Who would I like to thank? Everyone that helped me get to this conclusion.


Turning off SSLv3 on Firefox on OpenBSD

October 15th, 2014

If you ever wanted to do this, here's how:
Type about:config in firefox's browser and promise to be careful, find the security.tls.version.min and set it to 1 instead of 0. That disables SSLv3.


Wildcarddnsd 0.9.0 to be released next month

October 13th, 2014

It will be likely tagged in the tree and tarballs made available for download on the 15th of November which is in 1 month and 2 days or so. There is a larger list of what has changed in the CHANGES file. I'm so happy I can hardly wait!



October 11th, 2014

There is a movie out by Laura Poitras called "citizenfour" it's the story of Edward Snowden. In this article (in german) they write that the NSA has infiltrated German, Chinese, and South Korean networks with undercover agents as sysadmins in order to get at the infrastructure of those countries. I personally would just like to say to companies in Germany that not every foreign sysadmin is a spy and there is only a few bad apples. And I'd like to say to sysadmins that want to work in Germany, that perhaps you'll be watched on whatever you do and any actions you may do may reflect on your work at specific networks. As a hint if you encounter servers named "Kriminalpolizei" or "Bundespolizei", consider that these are just honey pots. Stay away from them as they won't let you log in anyhow. Aside from this caution you have to use your instincts why a server named "FBI" may be set up in a place where it does not make sense. Remember, authorities like to set up at hub points, not at edge networks. If they set up at the edge I'd say there is a good chance that it's fake.


Money lookout

October 4th, 2014

I'm simply spending way too much money. I only made ~ 10% savings this year of my income while at the same time the euro was so strong vs. the CAD that I lost 1000 euros income this year. So the books I bought this year will have to last until january. And in 2015 I plan on spending only 6-8 books. Also donation money will be less I'm cutting it by 1/3. I really have to tighten the belt if I want to achieve a certain amount of savings in mid-2016. I don't know if it's doable. But we'll see.


Ordered two books

October 3rd, 2014

I have ordered two books for the end of year.


Tried the firechat app

October 3rd, 2014

I read somewhere that firechat is being used to organize protesters in HK. So I tried it out and it drained my batteries overnight on my ipod. I quickly deleted it again, good thing today is a holiday in germany, as the ipod didn't wake me.


Pre-Ordered OpenBSD 5.6

September 30th, 2014

I have pre-ordered this from OpenBSDStore.COM, which is the old openbsdeurope.com website. Had some problems manouvering through their site at first but after an email and assurances that everything was alright from them, I managed to do my pre-order. Looking forward to having the three disks of freedom in my hands!


Two TCP traceroutes

September 30th, 2014

I have written two programs that do a tcp traceroute to a remote IP. I plan on finding the culprit at DTAG that gives me packet loss to my openbsd laptop from the host io.solarscale.de. I wrote on it most of yesterday and got it working somehow. Here is the source code for the server traceroute and here is the source code for the client traceroute. The server gets connected upon with telnet and it will spit back some data while tracing on its side (it doesn't fork), the client will connect to the echo port or discard port which ever one it finds first and will do a traceroute. Here a small demonstration of how the server tcp traceroute works:

root@galileo:/home/pjp/mytcptraced # ./mytcptraced
now sending from port 88 to port 55233, sending a few lines of test
sending testline 0 length 4
now starting the trace...
1           1292    1304
2        442     514
3       527     610
4        5129    5136
5         5223    5230
6           6095    6103
7       12422   13179
8       11944   12671
9       14382   14854

What's so cool about this is that it unearths routers behind NAT, as seen with the last hop. This is my home address at m-net. Unfortunately it can't unearth the RFC 1918 addresses due to some pretty good NAT on ICMP timex messages, but knowing that this network goes deep is interesting too. Anyhow enjoy the code, and play if you wish.


Wildcarddnsd Linux now relies on LibreSSL

September 28th, 2014

I have made wildcarddnsd's linux port rely on LibreSSL. This was not easy because libressl does not exist in ubuntu or raspbian (the flavours I use). So what I did was make it rely on libressl 2.0.5, and it extracts .o files from the .a archive with ar, for functions that it needs. This seems to go well. Just costs a bit of compile time. Roughly one hour on raspberry pi to compile libressl 2.0.5.

I also checked all architectures except NetBSD whether they compile so that I can release wildcarddnsd 0.9.0 in mid-November, as I don't know if I'll have much time in October to work on it.


Next Page


RSS Feed

Click here for RSS

On this day in

Other links

Have feedback?

By clicking on the header of an article you will be served a cookie. If you do not agree to this do not click on the header. Thanks!

Using a text-based webbrowser?

... such as lynx? Welcome back it's working again for the time being.

Older Blog Entries

Powered by BCHS