santaragolabs's comments

This reminds me of the science fiction novel The Water Knife by Paolo Bacigalupi. From the Amazon description:

  "In the near future, the Colorado River has dwindled to a trickle. Detective, assassin, and spy, Angel Velasquez “cuts” water for the Southern Nevada Water Authority, ensuring that its lush arcology developments can bloom in Las Vegas. When rumors of a game-changing water source surface in Phoenix, Angel is sent south, hunting for answers that seem to evaporate as the heat index soars and the landscape becomes more and more oppressive."

Highly recommended read.

Oh wow, thanks Keith, first of all for mosh! I've been using it daily for several years now. It's been great! Second of all for clarifying and correcting me regarding the algorithm-usage. I don't know where I got it from and I must have just misremembered; it's been a while since I spent a bit of time looking at the source code (and walking away very impressed).

Sure. But that's why my point was about mosh (https://mosh.org/). It just uses TCP+SSH for the authentication part and then it sets up an encrypted UDP-tunnel on the server-side with the mosh-client then just sending AES-256-GCM packets back and forth over UDP. To the best of my knowledge it doesn't batch anything.

And compression definitely doesn't always help as some of the attacks on TLS were only able to be done because of compression happening before encryption. Hence why we ended up with the HPACK in HTTP/2 to prevent exactly such type of attacks.

That work is great. A related paper on earlier work where traffic analysis on skype was being done and where the researchers were able to extract individual phonemes and then reconstruct speech that way. It's one of my favorite papers. It's titled "Phonotactic Reconstruction of Encrypted VoIP Conversations" and you can find it here: http://www.cs.unc.edu/~fabian/papers/foniks-oak11.pdf

Man, this paper is a classic. I love traffic analysis attacks like this. I did something myself six years back albeit with a somewhat contrived example figuring out what someone is looking at on Google Maps via request and response sizes. Example video here https://www.youtube.com/watch?v=skQNwd9Jij4 and https://ioactive.com/ssl-traffic-analysis-on-google-maps/.

I am speculating that nice traffic analysis attacks can be done on mosh (which is a great tool btw) to, similar to the paper that is in this thread. It's been sort of on my "todo/research" list but haven't been able to sit down for a few days and mess around with it. And I'm sure that QUIC (HTTP/3) will open up some interesting avenues of attack here too.

No-one said anything about the president or the NSA being involved. There are tons of ways this can work. And it actually happens.

Just once you're flagged and are inside The Machine you get detained upon entry whilst they confiscate your devices, try to see where you've been etc. Lookup the wikipedia page of Laura Poitras who for years lived in Berlin due to USA government surveillance. And this started way before her involvement with Snowden as a filmmaker.

I've done some security contracting work for the folks in Walldorf over the years; I've seen first-hand some SAP FTE's getting insanely frustrated putting in their expenses in their own systems. Which was pretty hilarious to watch. And most folks there fully acknowledge that usability is not their strength traditionally.

Things like uptime, support-contracts, having someone on-site within three hours when your multi-millon-dollar-order-processing-SAP-cluster goes down etc are what matter to their customers more than usability (traditionally).

Things are changing and a lot of effort has been put into getting better at UI/UX though. But I haven't been involved with them for several years now so I don't know where they are at or what their current offerings are (I keep tabs a bit on HANA developments but that's it really).

Tangibly related due to it being Ellen Ullman.

Oh wow. So I read "The Bug" of hers just after it came out (14 years ago) and it's such a poignant read about someone being slowly driven mad because he can't find a very peculiar bug which unpredictably haunts the sales people demo'ing their product. It's a great read and I highly recommend it to anyone here. The technical accuracy is hilarious too but you don't need to be a programmer whatsoever to understand the novel. I won't spoil the reveal of the actual bug or the ending but it's very much worth it.

After reading it I loaned my hardcover copy out to a guy named Boris when I told him how much I liked it. Boris; I don't know where you are and what you're up to nowadays; but if you somehow end up reading this; I kinda want it back. Ping me.

It's not about how stupid Americans are but the insane vilification of anything that reeks like socialism. You (*see edit below) live in the richest country on the planet which is incapable of providing clean drinking water to all of its citizens. That's unfathomable to me.

Some context; I know the USA better than most Europeans, having lived and paid taxes there for three years, whilst working and traveling all over the USA. I would never call Americans stupid. I've met some stupid ones though obviously. But Americans as a whole are as interesting and diverse and awesome and loathsome and everything in between as any other countries' citizens.

The collective results of the media, political developments of the past few decades, the countries' legal makeup (local, state and federal law) and what not more together result in stupid situations. One of them being that the USA is incapable of providing clean and affordable drinking water to all of its citizens.

And if you have to resort to compare yourself to Venezuela you're losing anyway. It's a bit like the: "hey, at least we're not THAT bad". But you STILL cannot provide clean drinking water to your citizens. What's that saying again? Never be the smartest guy in the room? Maybe compare yourself with countries doing better than the USA and then try to improve things?

And no, not everything is that bad and there are tons of things I like way better in the USA than in Europe. Things are hardly ever that black and white. But comparing yourself to Venezuela is one of the weaker arguments here.

EDIT: just realized that parent comment stated he's not American; doesn't take away from any of my points regarding the Steinbeck quote and the Venezuela comparison.

OP / author of the tool here too. Feel free to come up with any questions or suggestions regarding this. The tool has already proved its worth for me personally but I'm always open to reasoned input why I'm an idiot because I missed x or y or implementation z.

I've been a personal paying user of Fastmail for over 5 years now. It's been great. For my own company and for another business I started late last year I've also selected Fastmail as an email provider again. Just wanted to say thanks to you and the rest of the team. Keep doing what you're doing and I'll happily keep on shelling over some dollars your way.

So I've been in the position, a few years back, where I spent months doing comprehensive code reviews of these energy distribution management systems and what not more. It's all super scary legacy stuff and the code in general is horrendous (regardless of vendor). It's next to unmaintainable, it's next to un-upgradeable due to the risk of outages and there has been no oversight into it whatsoever.

All the comments regarding "who puts these things on the internet" are missing the point completely. It doesn't matter if this stuff is on the Internet or not. It only makes it somewhat easier to get access to these networks and start causing outages. However you've got thousands of miles of converter stations and transformers and power lines dotting the country. It's not that hard to go to the middle of nowhere and get access to the backend networks that carry for example the DNP3 traffic. Once you're on there you can carry out these type of attacks too.

The fact that an enemy can just use the Internet to penetrate the power companies' networks and pivot from there to their back end networks and actually touch equipment is the icing on the cake; it means they don't need to bother with recruiting and sending spies who can get physical access somehow.

Yep, people can infer a lot. I did a demo of this a couple of years ago for my employer at the time by creating a tool which, in a slightly contrived scenario, is able to figure out what one is looking at on Google Maps over SSL.

Blogpost (includes demo vid): http://blog.ioactive.com/2012/02/ssl-traffic-analysis-on-goo...

Here's one that is maybe more concrete. And I hope I'm understanding everything correctly.

Say you're a startup running your infrastructure in AWS. You spread it out over three different regions and within each region you use 2 availability zones. Your network load is automatically balanced over these three geographical regions.

Now an earthquake happens in one region and although it's unlikely both of availability zones within that region go off line (fiber to the region is cut, power-loss, whatever). This means the entire region goes offline.

If modeled properly you should now be able to figure out what the consequences of this will be for the entire infrastructure. Will you be able to stay online if surprising behavior (an entire region going offline) happens?

Of course the big issue here is always mapping real world scenario's onto models that fit well enough.

EDIT: It's a matter of taking the "nasty integral" part out of it as per nerdponx in another comment on this thread. This can really help with doing Fault Tree Analysis for example as the statistics solving part there has always been a big problem for systems big enough (MCMC solvers help only to a degree).

Yep and they change things around every once in a while too. I RE'd dropbox several times using several different techniques. I just checked my old tarball containing a script which downloads dropbox binary, downloads the Python interpreter, builds the opcode table database and then decompiles everything.

  gvb@santarago:/tmp/lookinsidethebox$ ./run.sh
  fetched all dependencies..lets try decompiling
  no saved opcode mapping found; try to generate it
  pass one: automatically generate opcode mapping
  108 opcodes
  pass two: decrypt files, patch bytecode and decompile
  1928/1928
  successfully decrypted and decompiled: 1727 files
  error while decrypting: 0 files
  error while decompiling: 196 files
  opcode misses: 7 total 0x6c (108) [#9],  0x2c (44) [#14],  0x8d (141) [#15],  0x2e (46) [#1],  0x2d (45) [#14],  0x30 (48) [#5],  0x71 (113) [#11783],  

A starting point to do this yourself is: https://github.com/rumpeltux/dropboxdec. After unmarshalling the new pyc files the seed read in via the rng() function is in newer Dropbox installations passed through a Mersenne twister from which 4 DWORD values are being read which are then used to construct the key for the Tiny Encryption Algorithm cipher.

After that you get the binary blob back which you can unmarshall now. But you still need to figure out the opcode mapping. For that I used a trick publicly first done (to the best of my knowledge) by the author of PyREtic (Rich Smith) released at BH 2010. He just compares the stdlib pyc files with the stdlib included within dropbox (after decrypting those pyc files) byte by byte. That should yield a mapping of opcodes.

Then pass everything through uncompyle2 and you've got pretty readable source code back. Some files will refuse to decompile but that means hand-editing / fine-tuning the last bits of your opcode table a bit.

EDIT: follow-up on parent comment; the encryption keys are not in the interpreter. The interpreter is patched to not expose co_code and more (to make this memory dumping more difficult; injecting an shared object is a different technique that I used too). It's also patched to use the different opcode mapping and the unmarshalling of pyc files upon loading them. However the key for each pyc file is derived from data strictly in those files themselves. It's pretty clear when you load up the binary in IDA Pro and compare the unmarshalling code with a standard Python interpreter's code

And to follow-up; several works on the history of science are great and it is great for learning that history is very messy. Also in science things are never as black and white as people several decennia down the line tend to think about how those scientific discoveries went went down.

I really liked "The Invention of Science" by David Wootton which I read a couple of months ago. A Guardian review of that work can be found here: https://www.theguardian.com/books/2015/nov/28/invention-of-s...

This is basically the thesis of Paul Feyerabend who used it as his main argument against there being a scientific method. His book "Against Method" is one of the best works on Philosophy of Science I've read during my university education.

As someone who spent a lot of time in the past 5 years at MSFT and also at tons of other firms doing security work / SDL-work on code bases; there are very few companies where a giant C/C++ code base is getting even close to the quality of Microsofts.

And indeed; very few companies spent as much money as Microsoft on their entire SDL. Sadly never had the chance to get a look into Google's kitchen but I'm hearing that they're great too.

They're also not dealing with the kind of backwards compatibility that Microsoft is dealing with which helps them out a lot too.

Thanks for clarifying that. And I indeed meant the title hierarchy you mentioned.

Not at Microsoft but know the company well (did contracting work for some teams).

PM refers to Project Manager as far as I know. But there are different levels of PM's within Microsoft. You can be a completely junior PM managing two really junior devs developing a simple feature. Or you can be a principal level PM and earn that amount of money. Just the term PM doesn't mean much.