Tuesday, February 6, 2018

Dolphins

Recently I’ve done some harmless trolling. I’ve opened a PR to SecList to remove “my password”, “dolphins”, from all of the common passwords lists. Or in simple English, there is a public list on the internet of the most common passwords people use and I’ve asked them to remove the password “dolphins” from all lists so hackers won’t be able to hack my account. Of course this is ridiculous, and that’s why it’s funny :)
Anyhow, the post got more attention than expected
Most surprisingly, on the recent Meltdown paper at https://meltdownattack.com/meltdown.pdf  there is an example of stealing browser passwords, and one of the passwords is "Dolphins", I wonder whether it's a strange coincidence or that the author was impressed with my PR.
I would like to explain here how I got to this silly idea. From time to time, I get to consult developers and admins about security. Whenever we talk about passwords I have a few guidelines such as, use 2FA everywhere.I always advise to check if the password is found on any of the lists of SecLists GitHub project. Clearly, if you find your password there it's not a good enough password.
Recently I’ve found myself guiding a SysAdmin that didn’t seem like the brightest tree in the forest. As a security researcher that got me thinking, again, what could go wrong. When I imagined that person might try to solve his problem by attempting to remove the password from the lists, instead of changing it, I thought it’s so hilarious, I must do it.
Apparently, GitHub users liked it too, and got too many comments. Sometimes when I try to load the comments page of the PR I get:

If you appreciate the joke please approve the PR to help me make sure it's the most approved PR on GitHub (https://github.com/danielmiessler/SecLists/pull/155).

Cheers,
Assaf

Saturday, September 2, 2017

PoC||GTFO

On march 2nd, my paper about making of the Kosher Phone was published in an extremely awesome technical online magazine PoC||GTFO (Proof of concept or get the fuck out) issue 0x3. This month a collection of 80 essays of the magazine (including mine) were published as a book. The book was designed to resemble a bible with the same cover and paper type. I couldn’t think of a better place for my technical writing regarding making of Kosher phones :)
I’ve replaced the bible I got for my Bar Mitzva with this better bible.




I would like to thank Travis Goodspeed for giving me this opportunity.


Saturday, July 15, 2017

The Tetris Fiasco

This is the Tel Aviv municipal building and it has a huge 12x20 light show on it.


Every time I passed by it, I had this idea that it would be cool to play huge Tetris on it. So I looked up on Tel-Aviv city web-site and found the contact of whoever is in charge of city’s events and celebrations. I wrote her a very professional email saying I’m working in the IT industry for a long time and I’m expert on embedded systems and that me and my friends who are also very good engineers, had this idea for a project of playing Tetris on their huge light display. Her response was quick and very enthusiastic (something like: “Wow, sounds awwwwwesome!!!1”). After a few more email exchanges I got the contact of the IT guy who was responsible for the system.
The system was made by Philips, in kind of a huge array of Philips Hue mash. It had a nice controller called “Color Kinetics” that was connected to a PC running “Color Play 2.1” on Windows XP.


After checking all of the technical details, making some planning and gathering a bunch of friends to take part in the project, I sent them a proposal which I was willing to do for free, just to have the opportunity to play a game. Needless to say, I had a few limitations such as:
I could work only during evening / night hours, as me and my friends have a day job.
Even though, I see no risk to the system, the lights or anything else, I have no insurance, so they will have to be responsible for it if something goes horribly wrong.
I won’t create an App for it, just a controller connected by WiFi.
20x12 might not be enough for Tetris, so I might want to make a Snake game or Pong or all of the above.
At the beginning they were very responsive and answered most of my emails very quickly, they added more and more people to the CC, and I had a feeling everything's going in the right direction. However, at some point, they started asking for more and more paper work / technical details that didn’t seem relevant. I even got a friend who is a graphic designer to make a sketch of how the Snake game will look like:


At this point I told them I’m doing it for free, so I’m going to give them only a POC level product. I am willing to give all of my code, documents and research. Once we will have a working version they can either take everything to someone else to make a product out of it for less money, or I’ll give them another proposal (this time not for free) to finish everything. The responses became slower and slower until at some point they totally stopped. I though they probably decided not to proceed with the idea, and forgot about it..
Few months later I got a phone call from a friend who told me he saw my Tetris project and that he even got to play a game.


I was shocked. I’m not sure who gave them a better offer than a free one, or which part created the problem of actually using my proposal, but anyhow, I was quite upset that they used my idea and someone else’s implementation.
I would love to hear your thoughts and feedback about why do you think I didn’t get the job, and how should I’ve acted differently. Do you think that If I’ve asked for money and had an insurance I had better chances of getting the job? Do you think the company who was hired for the project had some connections and that’s why they got it? Do you think I might have improperly presented myself and seemed unprofessional for the job?

Cheers,
Assaf

Monday, February 27, 2017

Numbers Memory Trade Off

I have a small obsession about human memory. I’ve watched many YouTube videos about savants with profound memory and the things they can do. Videos such as “The Boy With The Incredible Brain” and “The Real Rain Man”. These people who can remember anything with perfect accuracy are fascinating.

My obsession pushed me to learn about memory techniques. I found out that even though, my memory is nothing to be proud of, using a few tricks I was able to memorize the order of a deck of 52 play cards! At my peak I was able to memorize two full decks in less than 15 minutes. I believe, that almost anyone who practices that can achieve the same results in a short period of time.

In one TED talk, Daniel Tammet, who is a savant, talked about synesthesia. He described synesthesia as one of the key abilities for outstanding memory and many other astonishing creative abilities. Synesthesia, is a cross between senses, for instance, perceiving numbers as colors or sounds. I instantly saw that as an invite to try LSD, as it’s known to be one of the side effects of the drug ;)

Daniel Tammet, also claims that everyone has synesthesia of some level, and that it’s also an acquired ability to some level.
On my very little free time, I’ve started working on an Android app for helping “stimulating” synesthesia. The idea is simply a big size Simon game. Simon is a kind of a memory game. In that game a player is given a series of tones and lights and requires to repeat the series. Usually this game has four colors. My version of the game has ten colors, each one corresponds to a number from Zero to Nine. In my game the series of tones is not random, and it corresponds to string of numbers the user wish to memorize. Currently I use 50 digits of Pi, but I will add an option to enter arbitrary number, or choose phone number from the contact list.
If anyone has more interesting links about these kind of memory techniques, or any unbelievable savant stories, please share it down in the comments.
If anyone is interested in the Android app, or wants to help please do it on GitHub on the following link:
Warning, this is my very first Android app, I’m more used to see Android apps in IDA...


Cheers,
Assaf

Monday, October 3, 2016

More QRCodes


I’ve updated the library from the last post to support colored QRCodes with all kinds of outputs.
To try it one can either use my fork at: https://github.com/assafnativ/python-qrcode (In Red)
Or the pull request at the original project: https://github.com/lincolnloop/python-qrcode/pull/118 (In Green)
Here is the output of sample.py
PNG format

TTY using basic ANSI colors:

ASCII using extended RGB escape codes:

Sunday, September 11, 2016

Business Card

When I just started freelancing, I wanted to design my own business card. It had to have QR code, of course. At first I tried one of these online QR code generators and got something like this:

That contains all the Information I want to share about myself. Unfortunately, this is a very dense QR code, and therefore it’s harder to scan properly with a smartphone, especially when printed on a card. It seemed like no matter how much Information I removed from it, it was still the dense kind of QR code. So I started reading about the structure of QR codes to understand what are the limits of the nice smartphone friendly type.
Apparently there are classes of QR codes called versions, where “Ver1” is the most friendly, but contains the least amount of data, while the one above is of version 7. Therefore, I was aiming for version 5 at most.
During my research (when I say research I mean reading the Wikipedia page for QR code), I came across this picture that explains the structure of QR codes:

Source: Wikipedia
After I saw that sample, I knew exactly how my Business card should look like. My skill is “Reverse Engineering”, I take things apart to understand how they work. The Picture reflected that very well. I wanted to deconstruct the QR into elements of data on the card. The idea I had in mind was something like:

The colors of a box reflect the data it encodes. Of course, this is just a sample I made by hand, in which the colors have very little to do with the data.

My plan was to:

  • Find a Python library for encoding QR codes
  • Find a way to encode the information in the version 5 QR code
  • Write a new feature for the library to add colors to the data

I started with the Python QR code library from: https://github.com/lincolnloop/python-qrcode

But it seemed like it wasn’t optimized enough, this is what I got the first time I used it:


Which is a level 8 QR code, while for the same data I already got a level 7 QR code. At first I assumed it had to do with the amount of error correction used in the encoding, but investigating further, I found that both of them were set for M (Medium) error correction mode.
By investigating the code I found that I can get a better result by using the library a bit differently, but still it wasn't the most optimized encoding.
QR code has 4 different kinds of data encodings:

  • Numbers only (0-9), for which every 3 characters are encoded by 10 bits
  • Number + capital alphabet + “ $%*+-./:”, in which every 2 characters are encoded by 11 bits
  • 8 bit char for each every character takes 8 bits
  • Kanji for Chinese characters encoding

The problem is that moving from one mode to another cost about 15 bits. For example: to encode the string “a111a” you can use either:

  • 15 to set to mode 3
  • Encode “a”
  • 15 bits to move to mode 1
  • Encode “111” with 10 bits
  • Move back to mode 3 = 15 more bits
  • Encode “a”

In total: 15 + 8 + 15 + 10 + 15 + 8 = 71 bits
Another option is to:

  • Move to mode 3 for 15
  • Encode everything “a111a” with 8 * 5 bits

In total: 15 + 40 = 55bits
Therefore, it’s hard to know when it’s really worth changing encoding mode.
To solve the problem with 100% certainty of the best encoding, I used a flow graph. In that graph I made a node for “start” and edge to each encoding mode that can encode the next character. For the data In the example above the graph would look something like:


Once I created the graph, searching the shortest path from “start” to “end” using “Dijkstra” gave me the very best encoding for my data.

This work brought me back the level 7 QR code, which is still not the level I was aiming. Meanwhile, I found out that UPPER CASE letters are encoded much better than lower case. So by playing with the data a little I got:

This is a level 6 QR code, just one more level to go ;)
The last encoding improvement I got by reducing error correction from M to L (Low). Here it is:

This is a level 5 QR code, big success!

All that I was left to do is take care of the colors. To adjust the colors I simply attached an RGB value to every data piece that I added, and percolated it throw the different functions. For the error correction I used two different modes, one uses a different color (see example below) and one that reflects the data colors in a vague way. Here is the result:



BEGIN:VCARD
VERSION:2.1
FN:Assaf Nativ
TEL:+972500000000
TITLE:REVERSE ENGINEER
EMAIL:Nativ.Assaf@gmail.com
END:VCARD
  • Probs
  • Timing pattern
  • Error Correction






One more fun twist: Squares -> Circles:

Cheer, Assaf

P.S. The definition of the QR Code standard is ISO/IEC 18004:2015, which cost about 300 USD. If you liked this post, any help in getting the PDF would be very appreciated.

Saturday, May 9, 2015

Future Predictions FAIL

Note: sorry for my extra bad grammar in this post, I’m not sure which tenses I should use when talking about past writings that describe future that is now the past but wasn't then as it was in the future… well you get it...
Every once in a while I come across an article about how the future might look like. Usually these kind of writings turns out to be a total fail when the future date comes. I adopted a habit of collecting these articles in a special folder. Each article is saved with the name of read_me_in_year_YYYY.pdf where YYYY is the year which the current paper is trying to foresee. I’m not allowing myself to read any of these until the year YYYY arrives.
Recently I had the pleasure of opening the first one that I saved in 2008 that tried to predict computers technology for 2015. I found an online copy of that article here: http://www.entrepreneur.com/article/198920
The article is trying its best in 15 technologies, and I think it’s quite safe to say it failed in about 12 of them, but I’ll say it failed all the 15.
  1. The memristor. The idea of memory of the size of persistent memory that we currently have but that works in the speed of RAM that we currently have, is not new, and if it does turn true in the future it will have to change the entire way operating systems are written. This idea is a lot of fun to play with, and one can actually try it himself with a special hardware such as this http://www.hyperossystems.co.uk/07042003/hardware.htm. But as awesome as it is, we are still going to have to wait for this to become real, if it ever will.
  2. 32-Core CPU. Especially not for home users. FAIL. They failed to see the Intel Itanium fail on the desktop. It seems like we are stuck at the 8 cores border for quite a while.
  3. End of Stand-Alone Graphics Boards. FAIL. Just a week ago I bought a new graphics adapter for my PC to support my awesome three monitor setup.
  4. USB 3.0, well, ok. But they made much a bigger deal of it, than what it really is. They also predicted it would have a different connector.
  5. Wireless Power Transmission. FAIL. They win the FAIL flag here just because we don’t have light bulbs that work on wireless power.
  6. Windows 64bit, yes it’s here. And again, they get a FAIL because quoting “Microsoft will have to jettison 32-bit altogether”. Nevermind what the word “jettison” means, Windows 10 is coming out soon and guess what, it’s going to have a 32bit version. They also tried to predict that in 2025 we will have 128bit OS, which I think frankly is just silly.
  7. Windows 7. Not much of a prediction there. They were aiming at 2010 two year prediction is not that exciting because things are already being set and built.
  8. Google desktop. Not much of a prediction here either.
  9. Gesture-Based remote control. I think it’s now safe to call this dream a fail. And the same goes for voice recognition TV, do you know anyone who speaks to his TV and it actually answers?
  10. Tru2Way TV. FAIL, quoting from Wikipedia: “As of July 2010, Panasonic, the sole device manufacturer, producing Tru2way compatible televisions, has stated that they will no longer sell Tru2way compatible televisions. Thus, at this point there are no television sets with built-in Tru2Way compatibility being sold.”
  11. No DRM from the big companies… Lol, FAIL
  12. Use any phone on any wireless network. FAIL. Something much better might happen with 4G.
  13. Your fingers do even more walking. Or how multi touch screen seemed such a neat technology just 7 years ago. I must give them a PASS on this one. Multi-touch screens are everywhere now, and we kinda’ take them for granted. I think they failed from the other side on this one. They predicted that about 800 million touch-screens would have been sold in 2013, but just with smartphones it came closer to a billion.
  14. Cell phones are the new paper. Not more than what it was like in 2008. FAIL
  15. Where you at. I’m not sure what they are trying to describe here. The idea is so vague. It sounds a little like 4square, but it’s not. Anyhow, FAIL.
Recently Gizmodo made a post about how and why we so often fail in predicting future technology. I find their post very relevant to this one, so here is a link: http://gizmodo.com/why-scientific-americans-predictions-from-10-years-ago-1701106456

Cheers,
Assaf