Developers Club geek daily blog

Security Week 01: The racketeer on Javascript, $100 of k for a bug in Adobe Flash, the ciphered bright future

2 years, 10 months ago
The Chaos Communication Congress conference became an important event of the end of December. Materials from it can be found on a key word 32c3 where 32 — sequence number of action, since 1984. In Hamburg there were many interesting researches on action. For example, experts Felix Domke and Danielle Lange in detail told about a technical aspect of "dizelgeyt", including features of work of modern managing systems of cars. And here it is possible to look at the monumental 110-page presentation about vulnerability of railway systems and to come to a conclusion that IT in trains is applied widely, much, everywhere differently, and it is frequent using standard software (Windows XP) or standard protocols of a wireless communication (GSM) which shortcomings from the point of view of safety are widely known and are actively operated (fortunately, so far in other places).

And here news (the presentation and the link to research work inside) that unique features of programming style filter even into compiled code. Though this subject also is rather highly specialized, I see in it something bigger: perhaps in the near future the picture will finally lose relevance on the right. Not because all will monitor all, and thanks to the behavioural analysis — the user can be identified how it vzamodeystvut with the website, the application or something else the same as the programmer — how that writes a code. Here by the way Apple purchased the startup specializing in the analysis of human emotions just yesterday. Generally, the 2016th year begins interestingly. And we continue supervision. The previous series are available here.

Read more »

We draw elliptic curves by means of SQL

2 years, 10 months ago
The benefit of approach on the basis of elliptic curves in comparison with a problem of the factorization of number used in RSA, or the problem of integer logarithming applied in Diffie-Hellman's algorithm and in DSS is that in this case equivalent protection at smaller key length is provided.

Generally the equation of an elliptic curve E in the field of real numbers of R has an appearance:

— y^2+a1*x*y+a3*y = x^3+a2*x^2+a4*x+a6

or in case of a final ring of deductions of Z|n:

— y^2+a1*x*y+a3*y = x^3+a2*x^2+a4*x+a6 mod N

Let's set for ourselves the task of visualization of an elliptic curve.

Elliptic curve E in the field of real numbers of R

If the elliptic curve E is considered in the field of real numbers of R, then creation of the diagram can be described, using only knowledge of algebra and geometry of the senior classes of school

arguments of N a1 a2 a3 a4 a6 xmin xmax
  1. We select the range [xmin — xmax] of argument x
  2. We note on the selected range of argument x necessary number of x1 values..., xN
  3. Each of x1 values..., x^3+a2*x^2+a4*x+a6 is substituted xN in y^2+a1*x*y+a3*y equation = and we receive the normal square equation of argument of y
  4. We find roots of the square equation of argument of y
  5. If the square equation of argument of y has solutions, then we add two points on the diagram
  6. We connect lines all "upper" points on the diagram and all "lower" points on the diagram

Read more »

We subdue UEFI SecureBoot

2 years, 11 months ago
These promises should be kept if they are made at first in final part of the opus about safety of UEFI, and then are repeated from ZeroNights 2015 scene therefore today we will talk about how to force UEFI SecureBoot to work not for the benefit of Microsoft as it is most often configured by default, and for the benefit us.
If it is interesting to you how to generate the obstvenny keys for SecureBoot how to set them instead of standard (or together with them), how to sign your favourite EFI loader how to prohibit loading unsigned or signed with others conversion keys as the interface for the SecureBoot setup at AMI, Insyde and Phoenix looks and why it, by and large, is not important at all — welcome under kat, but be afraid of a large number of pictures and long console instructions.

Read more »

Myths about / dev/urandom

2 years, 11 months ago

For certain many of you repeatedly faced myths about / dev/urandom and / dev/random. Perhaps, you even trust in some of them. In this post we will break covers from all these myths and we will sort the presents strong and weaknesses of these random number generators.

Read more »

Open-source of implementation of domestic cryptostate standard specifications

2 years, 11 months ago
At the weekend decided to look for open-source of implementation of domestic cryptographic standards. First of all interested new: a hash function of Stribog (GOST P 34.11-2012), the Grasshopper (State standard specification P 34.12-2015) and the EDS (GOST P 34.10-2012 or 2001 (without 512 bits)). Old GOST 28147-89 specially did not look for as to find its implementation there are no problems for a long time.
So, let's look what turned out. At once I warn that did not check a correctness of implementations.

Read more »

Get acquainted: Hash steganography. Very slow, but absolutely confidential

2 years, 11 months ago
Yes, dear reader, you correctly read: absolutely confidential. And, I ask to notice, absolutely confidential in the strongest mathematical sense: absolutely confidential on Kashena because Kulbak's distance — Leyblera in my mathematical construction will be equally in zero; and not to "nearly zero", but real-life zero, without any "infinitesimal" and other vulgar approximations!

How? And it is very simple — I will not intersperse anything in a stegokonteyner at all. Really, if we intersperse nothing, then the empty container is indistinguishable from a stegokonteyner, truly?

"Wait, but if we intersperse nothing at all, then we transfer nothing at all!!!" — the reader will reasonably argue with me.

Absolutely truly! To intersperse we and we will not be! There is a method, without distorting the container, nevertheless to transfer information. How?

Schematically Hash steganography ɔ⃝
it is possible to provide so:

The text explanation to the picture under a cat.

Read more »

Randomness in PHP7 – Whether will carry to me?

2 years, 11 months ago
Криптографическая рандомизация в PHP

In this article we will analyze the problems relating to random number generation, used in cryptography. PHP5 does not provide a simple generation engine of cryptoresistant random numbers while PHP7 solves this problem by introduction of CSPRNG functions.

What is CSPRNG?

Quoting Wikipedia, cryptographic the resistant pseudorandom number generator (English Cryptographically secure pseudorandom number generator, CSPRNG) is a pseudorandom number generator with the certain properties allowing to use it in cryptography.

CSPRNG is generally used for the following purposes:
  • Key generation (including, generation of public/private of keys)
  • Creation of accidental passwords for accounts of users
  • Encryption systems

The main aspect of saving of the high level of safety is high quality of randomness.


PHP7 enters two new functions which can be used for CSPRNG: random_bytes and random_int.

Read more »

It is declared the beginning of acceptance of works on CTCrypt symposium '2016

2 years, 11 months ago
From June 6 to June 8, 2016 in Yaroslavl there will pass the fifth international symposium "Current trends in cryptography" of CTCrypt 2016.

Read more »

Let's Encrypt leaves in a public beta: HTTPS everywhere, to everyone, from now on and forever free of charge

2 years, 11 months ago
Let&39;s Encrypt

Let's Encrypt — it is the non-commercial initiative providing the free, automated and open CA (certificate authority — certificate authority) created ISRGby for the benefit of society:

  • free of charge: the owner of any domain name can use Let's Encrypt and receive entrusted (to read as "is recognized as any modern browser") the TLS certificate (TLS — the successor of SSL) absolutely free of charge;
  • it is automated: Let's Encrypt provides free and the free software (client) which, being configured on the Web server, can request completely automatically non-paid provided certificates of Let's Encrypt, automatically configure and update them;
  • safely: Let’s Encrypt is under construction as a platform for promotion the best practician of safety of TLSof both on the party of certificate authority (CA), and on the party of websites, helping administrators to configure Web servers properly;
  • it is transparent: information on release and a withdrawal of each certificate of Let's Encrypt is available quite and publicly so that anyone to study it will be able to make it;
  • freely: the protocols of interaction from CA allowing to automate processes of release and updating of certificates will be published as the open standard for the maximum implementation;
  • kooperativno: as well as any protocol which is the cornerstone of the Internet and the World Wide Web of Let's Encrypt is joint, uncontrollable any specific organization by the non-commercial project created bringing benefit to society.

Read more »

Young hackers 414s

2 years, 12 months ago
The name of command 414s sounds so as if it is some fashionable rock group of the 80th. But heroes of this history became famous not for music, and computer crackings at all. By means of normal home computers they hacked about ten computer systems of serious organizations, such as Los-Alamossky National laboratory to New Mexico, the Oncological center Memorial Sloan-Kettering in New York, as well as school of the city of Milwaukee. Young hackers had so a good time and only satisfied the unreasonable inquisitiveness.

The command 414s consisted of group of teenage supporters. But the public only six young men, age from 16 to 22 years opened. The group on a twist of fate gathered — their meeting and a close acquaintance was promoted by research club of boy scouts which was sponsored by the known company IBM. The main objective of this organization was to teach kids to use computers. And pupils exceeded any expectations. So exceeded that since 1983 got under close attention of FBI and became famous for the whole world.

Read more »