Skip to content

Category: Hackerterrorcybercyber

The road to hell is paved with outdated passwords…

So I am using Chrome in a corporate context. Outdated password regulations force me to increment my password every three months. The reason for that is well understood (PCI compliance), but can’t be changed from inside the corporation.

Previously, Chrome stored my passwords in the Apple Keychain. So I could script this, using /usr/bin/security and push my password change into all saved passwords, or, alternatively, bulk delete all those old passwords.

Recent Chrome does not do that any more.

9 Comments

PHP: Understanding unserialize()

The history of serialize() and unserialize() in PHP begins with Boris Erdmann and me, and we have to go 20 years back in time. This is the day of the prerelease versions of PHP 3, some time in 1998.

Boris and I were working on Code for a management system for employee education for German Telekom. The front side is a web shop that sells classes and courses, the back end is a complex structure that manages attendance, keeps track of a line manager approval hierarchy and provides alternative dates for overfull classes.

In order to manage authentication, shopping carts and other internal state, we needed something that allowed us to go from a stateless system to a stateful thing, securely. The result was PHPLIB, and especially the code in session.inc.

That code contained a function serialize(), which created a stringified representation of a PHP variable and appended it to a string. There was no unserialize() necessary, because serialize() generated PHP code. eval() would unserialize().

8 Comments

Illegal and undocumented instructions

Illegal and undocumented instructions are not a new thing. The Commodore 64 CPU, a 6502 with a few additional I/O lines, was known to have them, and since on current CPUs we can completely VLSI simulate a 6502 in Javascript we also understand where they come from. Pagetable.com has a wonderful article on this.

So how about current CPUs? Modern CPUs are vastly bigger and more complicated than a 6502, and they are also set up very differently. So simulation is not taking us anywhere, but we can fuzz.

Sandsifter is such a CPU fuzzer:

4 Comments

Zero Factor Authentication

Dear Internet, Today I Learned that oath-toolkit exists in Homebrew.

So, this is a thing:

$ brew install oath-toolkit
$ alias totp='oathtool --totp -b YOURSECRET32BLA | pbcopy'

And so is this:

#! /usr/bin/env expect -f
 
set totp [ exec oathtool --totp -b MYSECRET7W22 ]
 
spawn ssh verysecure.doma.in
expect "Password:"
sleep 1
send "thisIsN0t1GoodPaszwort@\r"
expect "Two Factor Token:"
sleep 1
send "$totp\n"
interact

Yup, it’s totally possible to laugh and cry at the same time.

3 Comments

Symantec considers exiting the Certification business

Apparently, between being asked to behave responsibly by Google and the Certificate Transparency project, and LetsEncrypt eating into the profit margins in the Cert market in general, Symantec are reconsidering their presence in the CA market completely.

Reuters reports:

Cybersecurity firm Symantec Corp is considering selling its website certification business, in a deal that could fetch more than $1 billion and extricate it from a feud with Alphabet Inc’s  Google, people familiar with the matter said on Tuesday.

We remember that Symantec have proven themselves to be unable to run a CA properly earlier. The Reuters article also nicely reminds us which other toxic snake oil assets are still part of Symantec (i.e. Blue Coat) and which are possibly recovering after having been sold off (i.e. Veritas).

1 Comment