WingNews logo WingNews GitHub [2]

einaros's comments

einaros | 2 years ago | on: Prediction: Threads will be shut down in 12 months or less

Sure. That's not really my issue though. I got a few thousand followers, in batches, after random press coverage through the years, but never had much of anything I wanted to share. Trying to communicate anything, to build further following, was stressful, unfruitful and ultimately meaningless.

einaros | 7 years ago | on: Norwegian frigate sinking has far-reaching implications

I’ve been meaning to translate the WebGL version embedded there, but never got that far. The downloadable versions (linked under the video) for Windows and Mac both have subtitles of the audio log, as well as the UI. And both have more correct lighting than the video clip that’s embedded on the page.

einaros | 12 years ago | on: Tell HN: Call your mom

Not entirely sure what you mean by that. But I realised some time ago how lucky, and extremely privileged, I was to grow up with the unconditional support my mother gave me.

And I wasn't the only one to get her support. She was a social worker who dealt with the very heaviest of drug users. She worked tirelessly to help them get a grip on their lives, and often spent her spare time following up on their troubles.

She, and others like her, contribute actual good to this world. I, with all of my inhibitive worries and hollow ambitions, admire them infinitely for that.

einaros | 12 years ago | on: Tell HN: Call your mom

Thank you. I'm very sorry to hear that your mother passed so early. Missing someone, even after many years, is a testimony to the strong bond you shared. The loving memory lives on.

einaros | 12 years ago | on: Tell HN: Call your mom

Thank you, although I feel much more sorry for her loss, than I do for mine. Cancer stole her life at a time when everything was supposed to be getting better. A brutal reminder for everyone around her to make the most of their time. And to appreciate loved ones while they're there.

einaros | 12 years ago | on: Tell HN: Call your mom

Mother's day or not, those who can make that call, should. My mother passed away one week ago. I really, really wish I could call her today.

einaros | 12 years ago | on: Cracking Cloudflare's heartbleed challenge

I didn't actually write mine to collect primes :) I'm working with data dumped from other network devices, and for the most running various Yara rules during and after collection.

einaros | 12 years ago | on: Cracking Cloudflare's heartbleed challenge

Doing realtime prime detection is trivial in mine as well. Either pipe the outfile or add to the lib. I didn't write the dump tool with keys as primary target; they just happened to be there.

einaros | 12 years ago | on: Cracking Cloudflare's heartbleed challenge

No, the primes (and thus key) can be retrieved at any time, but it may be more frequently found right after reboot.

I would recommend you to gather at least a gigabyte before digging for the key - preferably more. I dumped 43 GB from CloudFlare on Sunday, and found the prime 194 times in that dump. It can be found in much less time, however. Here's a test I just did against the CloudFlare server, resulting in the full prime 34 times in 60 seconds: https://twitter.com/einaros/status/456136820913238016

The code from the second posted you noted (https://news.ycombinator.com/item?id=7577659) isn't mine. That one builds off of the original Python PoC, which fails for a lot of configurations.

The Github code is the first publication I've done. Let me know if you see a server that's vulnerable, that the Github code fails to detect.

einaros | 12 years ago | on: New NSA Leak Shows MITM Attacks Against Major Internet Services

That would pretty much cover the use of CDNs that have proper versioning schemes.

Analytics, however, will remain something I'm not overly fond of. For many sites it's unnecessary. For others it's something they could nearly just as easily license and deploy to their own servers. Pulling scripts in from Google Analytics, Statcounter and others -- and especially into privacy concerned apps -- is downright irresponsible.

As I noted here: https://2x.io/read/would-the-nsa-infiltrate-cdns-to-circumve..., even Norway's tax returns site (which hosts info I'd rather not have in any foreign company's hands) use external analytic scripts. They and 90% of the rest of the internet.

No wonder the NSA claim they can circumvent most HTTPS encryption.

einaros | 12 years ago | on: New NSA Leak Shows MITM Attacks Against Major Internet Services

While an absolute necessity, it doesn't solve the immediate issue of NSLs and widespread use of unnecessary services.

Let's say that the NSA would like to track bitcoin transactions through MtGox. I don't know how easy it would be for them to plug a backdoor into a server in Japan, and let's assume that the NSA can't break the RC4 crypto their web server is configured to use ..

Since MtGox uses Google Analytics, and possibly pull other scripts from Google's CDN, they could either eavesdrop on whatever data comes back from them by default -- or insist that changes are made to ... pick up more.

einaros | 12 years ago | on: New NSA Leak Shows MITM Attacks Against Major Internet Services

Where did you read that it's mail traffic they were after? I'm beginning to strongly believe that it's Google's other services are considered for use in specific attacks.

Imagine if some foreign service, that is outside of an NSL's reach, has communication that the NSA wants to snoop on. If they can't break the crypto, but that service happens to load jQuery off of Google's CDN, or use Google Analytics, the NSA could pull a MITM attack and manipulate the content of the requested scripts.

Those scripts could rather easily act as proxies for the NSA or others, and either hijack sessions or pull data straight out of the protected services.

I'm tooting my own horn here, but that's exactly the kind of thing this blog post speculates on: https://2x.io/read/would-the-nsa-infiltrate-cdns-to-circumve...

page 1
more