2013-04-01 Information Visualization Is Just A Starting Point

Information Visualization Is Just A Starting Point

Information visualization is not an end but just a step to improve our understanding of data. Following a small discussion in the train about the visualisation of open data, I did a small experiment to analyse the statistics about the waste collection in my region. The result of this experiment is available along with some random notes. But the main question came from someone else looking at the visualization and basically told me: "I don't get it". He is right, the experimentation is just there to trigger more analysis (and sometime more visualization) with the objective to improve our understanding. Initially, the source of data is usually not analysed and sitting there waiting to be understood. Coming back to the data about waste collection, the initial discussion about the understanding or interpretation wouldn't be triggered if the first step of visualization is not done.

So in that scope, I tried a similar approach with a dataset I built from my cve-search tool. My idea was to see the terms used all the description of the Keywords in Common Vulnerabilities and Exposures (CVE). I did a first CVE terms visualization experiment and then I twitted about it. Then, this was triggering various explanations like why there is a predominance of some terms as commented by Steve Christey.

It clearly showed that is an iterative process especially to better understand the data. It's also an interactive process in order to improve the visualization and the data source. Following the good advise from Joshua J. Drake, I added a lemmatizer to keep only the root of each term and also exclude the standard English stopwords. With the visualization, we saw from some occurrences (e.g. unknown or unspecified) that the CVEs are based on incomplete information.

I'm quite sure that is not finished and just the beginning of more work and experiments in visualization. I read various books about information visualization but the result is often very static and you don't really see their iterative process to reach their visualization goals. Sometime, you just see a result without the process and the tools used to make the visualization happens.

At least with free software like D3.js, we have now a set of tools to understand how the visualization was built and maybe improve/discuss those visualizations. At least, if you want to play or improve the visualization of terms used for software vulnerabilities description, let me know.

You want an open mind, but not an empty head. Just because something is a new or fashionable alternative, doesn’t mean we need to get stupid when judging it. Edward Tufte.

Syndicated 2013-04-01 21:11:08 from AdulauWikiDiary: RecentChanges

2013-02-23 Vulnerability Management Is Just An Approximation

Software Vulnerability Management Is Just A Huge Approximation

Approximation is a representation of something that is not exact. To be extremely exact vulnerability management is not even a mathematical approximation like we know it for Pi value. But from where this utterly huge approximation is coming from? The first origin is the inner definition of "vulnerability management". If you look at various definitions like the one from Wikipedia or some information security standards, you have something like "it's a process identifying → classifying → remediation → mitigation of software vulnerabilities". Many information security vendors might told that is an easy problem but you can ask yourself if this is an easy problem why so many organizations are still compromised with software vulnerabilities.

In my pragmatic eyes, it's very broad, so broad that a first reaction is to split the problems into parts that you can solve. If we just look at the initial step to identify software vulnerabilities.

To solve this problem, the first part is to discover, know and understand the software vulnerabilities. Everyone is discovering vulnerabilities everyday (just look at how many bug reports are going into the Linux Kernel bug tracking software) and very often when you report a bug, you don't even know if this is a software vulnerability. The worst part is that an organization (or an individual) doesn't exactly know what software they are running. If someone is telling you that they have a "software vulnerability management" software that is able to detect all the software running on a system, it's a lie. If such software would exist, you would have the perfect software that would be able to solve the virus detection issue while solving the Turing's halting problem. Just look at a simple software appliance and the set of software required to run the appliance.

Discovering vulnerabilities might be easy but it's difficult to be exhaustive. Even if a vulnerability is found, there is a market to limit their publications (like zero-day vulnerability market). For a named software, there is might be a large set of unknown vulnerabilities (I'm tempted to talk about Java but I think every software might fall into that category). Does this mean that you should give up? I don't think so. You must work on your vulnerability management but don't trust blindly solutions that claim to solve such issue.

Finally, my post is not a bashing post as it was an opportunity for me to talk about a side project I'm working to ease collecting and classifying Common Vulnerabilities and Exposures (CVE). The project is called cve-search and it's not a complete vulnerability management just a small tool to solve partially the identification and the classification part.

“When he time comes to leave, just walk away quietly and don't make any fuss.”– Banksy

infosec security vulnerability

Syndicated 2013-02-23 20:47:26 from AdulauWikiDiary: RecentChanges

2011-12-25 Against SOPA or How To Do Soap

I'm against SOPA... So I'll explain how to make soap with olive oil

One more time, some lobbyists try to regulate the Internet with some of the stupidest laws or rules. SOPA (in US) is again one of this tentative to break down the freedom of citizen worldwide to preserve some archaic business model. As I have a preference for concrete action leading to a direct social improvement, I'll explain how to do soap (it's better than SOPA and more useful, please note the clever inversion of the letters). My soap recipe is released under the public domain dedication license (CC0).

Safety Disclaimer

Doing soap is a chemical process that requires your full operating brain. Especially that you'll use sodium hydroxide that is a corrosive substance. So respect the proportions, the process and read the whole process multiple times before doing it. Wearing protective gloves and goggles is highly recommended. Avoid to use kitchen instruments in aluminum as it will be attacked by the sodium hydroxide.

Background of the chemical process

Doing soap is one of the first chemical process discovered by the humanity. The process is called saponification that is done by using a base to hydrolyze the triglycerides contained in the fats (organic or animal). This process generates a fatty acid salt along with the glycerol (the greasy touch of the soap). Each fat has a specific value for its saponification. The saponification value (usually called SAP in saponification tables) is expressed by the required volume of base (usually sodium hydroxide) to saponify 1 gram of fat. The saponification value is reduced to keep the resulting soap a bit fat (what is called the "excess fat"). I find it even convenient to keep a "safety" bound to ensure that the hydrolyze is complete and used the whole sodium hydroxide.

So that's the basis if you want to build your own soap, there are other rules to consider but for this recipe this is enough. In my case, I use olive oil as a fat. Easy to find and I have a preference for organic olive oil (to ensure that the oil producer is taking care of its environment). But you can use non-organic olive oil too (it's usually cheaper).

Ingredients

• 1000 grams of olive oil
• 124 grams of pure sodium hydroxide / NaOH (as the olive oil has a SAP factor of 0.134 and we want 7% of over fat → run bc and type (1000*0.134)*0.930) (total weight of fat *SAP factor for the fat)*(0.900<->0.960))
• 350 grams of tap water (usually between 31% and 35% of the total fat. In this recipe ~ 1000*0.350)

Process

• Put your protective gloves and goggles
• Prepare the sodium hydroxide by putting the sodium hydroxide in water (!put the sodium hydroxide in water not the reverse!).
• and monitor the temperature of the prepared sodium hydroxide to reach around 46-47 Celcius degree (it will start at 80 Celcius degree with the reaction).
• At the same time, warm the olive oil until 46-47 Celcius degree.
• When both are at the same temperature (around 46-47 Celcius degree),
• you can start to mix (using a mixer speed up the process) the warmed olive oil by incorporating the prepared sodium hydroxide. (!use a large pot to avoid projection of the prepared sodium hydroxide while mixing!).
• When you start to see that the mixture is becoming consistent (especially that you can see a trace while removing the mixer) it means that's you reach the critical point.
• When you have an homogeneous consistence, you can put the result into a plate.
• Put a plastic film into the plate touching the mixture (to avoid oxygen to be in contact with the prepared soap).
• In the next hours, you'll the "gelification process" where the soap is becoming a gel (usually starting from the center).
• After 24 hours, your soap is becoming harder. (see above picture)
• You can can remove it from the plate and cut the forms you want from your block soap.
• And the soap must dry for the next 4 weeks in a dry and clean place. (see above picture)

Tags: soap sopa freedom chemistry diy

Syndicated 2011-12-25 15:29:22 from AdulauWikiDiary: RecentChanges

2011-12-17 Certificate Revocation Reasons 2011

This page is too big to send over RSS.

Syndicated 2011-12-17 12:05:57 (Updated 2011-12-18 17:11:22) from AdulauWikiDiary: RecentChanges

2011-10-02 Try and Vet Tshirt Crypto Challenge Hack.lu2011 The Solution

The Challenge

What Did You Get During Hack.lu 2011?

From the hack.lu website, you got a text message including a message stream. During the conference, you got a t-shirt.

The horrible "Beer Scrunchie" subverted the hack.lu 2011 conference to hide some cryptographic materials. He especially abused the t-shirt for hack.lu 2011 to transmit under cover activities. We still don't know at which extend "Beer Scrunchie" abused the t-shirt. Everything is possible just like those trojan t-shirts discovered...

U2FsdGVkX19EAnHXVRgs2oajPS0zZ3+w8BlYdQbHMTI7GT9gvdgFkjtTarpNAmbz
ET8PRg72U8pydsLr4IaTt5n7fFz6jxyglU1ozZwjJhKAyPAftqxYvcnud4/cOiEV
2FutxaJYCORWsvQV+hi6j8LMqn5aJd7s2nhQ9BWji/ZjMZx/wXJVdCCmNL9HuWx9
q0KV/8nTaxOOEdGwENZT8rgSSb7qy5mcIlIBfdzqYAzynj8xLxHFmptNQfZaO3X0
MAbvS324WDeB3R5p6CaIDLeH95eN8jrqdXaDhxs1SrlJrq5inssTgsEttFUhHEe8
6unUI3i4sDeVvEcajMmxvKg0qQLqEkc56GXKXVuGYc+owEsgKW8JKk8DrfgbQMPy
mbaaN7h1PKjlXTIfkR9KXOMd0wy/KHEoM6FdWY1jjzB2Q9UODxgug6gNXciVpQB6
fpvlzvFkV8z8BfSMcDCo1GM6526hSYYtRF0RS3PoloSPjfvDCNVX86lMjKsx6etc
Wec6u4EuJVDI52dgSr3kslwlfswez4WM+H2cszKCf0xejql/tQsra6QAcj1JhSqD
C6AvtDV31IzLAhHy5Di4T1ONyk68WNU40BIsrNkb3lYFTtWtQeF5Z4DGwpcM9HKg
CbLIe9oiNONgrY+kn5RfkHgUaI/PbUQgWy/U6BkunbuqTuMXwiTeR3eaRwBnGQGJ
KL+w6duxhoZhCa9nrlr3I2Nx2l+bs9JIzp5h2nYIq6yhqAyQ6jE+lpAQk912FE1O
5AuOLW5bhMldPMVMlYlx6w==

Solution

The message on the website gave already some clues especially that:

• You have to look at the t-shirt for some "cryptographic materials".
• "Beer Scrunchies" is the anagram of "Bruce Schneier" and especially that he is the author or co-author of many ciphers http://en.wikipedia.org/wiki/Bruce_Schneier#Cryptographic_algorithms.

If you decode the message encoded in Base64, you'll see that the stream of data in binary is starting in the following way : "Salted__…." That's the behaviour of the OpenSSL? salted encryption scheme prefixing with "Salted__" to announce that the first 8 bytes of the encrypted stream are reserved for the salt. This gives the indication that the message has been probably encrypted with an OpenSSL? tool or library. If you look carefully look at the encryption schemes available in OpenSSL?:

aes-128-cbc    aes-128-ecb    aes-192-cbc    aes-192-ecb    aes-256-cbc    
aes-256-ecb    base64         bf             bf-cbc         bf-cfb         
bf-ecb         bf-ofb         cast           cast-cbc       cast5-cbc      
cast5-cfb      cast5-ecb      cast5-ofb      des            des-cbc        
des-cfb        des-ecb        des-ede        des-ede-cbc    des-ede-cfb    
des-ede-ofb    des-ede3       des-ede3-cbc   des-ede3-cfb   des-ede3-ofb   
des-ofb        des3           desx           rc2            rc2-40-cbc     
rc2-64-cbc     rc2-cbc        rc2-cfb        rc2-ecb        rc2-ofb        
rc4            rc4-40 

There are not so many algorithms written by Bruce Schneier in a default OpenSSL? except Blowfish (bf-*). Usually cryptographer recommends to use the "default" mode and in this case, bf is Blowfish in CBC mode. So this is highly probable…

Where Is The Key?

As you didn't use the t-shirt until now, there is a good guess that the key is hidden somewhere. If you look carefully at the text in the back of the hack.lu 2011 t-shirt, you'll see many typographic errors. The interesting part is to compare the typographic errors from the original text as published by Phrack. Please note the typo in the URL (even if the URL works, doesn't mean that's the correct one ;-).

The original text from Phrack (original.txt)

This is our world now... the world of the electron and the switch, the beauty of the baud.
We make use of a service already existing without paying for what could be dirt-cheap if it
wasn't run by profiteering gluttons, and you call us criminals. We explore... and you call
us criminals. We seek after knowledge... and you call us criminals. We exist without skin
color, without nationality, without religious bias... and you call us criminals. You build
atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe
it's for our own good, yet we're the criminals. Yes, I am a criminal. 
My crime is that of curiosity. My crime is that of judging people by what they say and think, 
not what they look like. My crime is that of outsmarting you, something that you will
never forgive me for. 
I am a hacker, and this is my manifesto. 
You may stop this individual, but you can't stop us all... after all, we're all alike. 


The Conscience of a Hacker, The Mentor, January 8, 1986, 
http://www.phrack.org/issues.html?issue=7&id=3#article 

The text from the hack.lu 2011 t-shirt (modified.txt)

This is our world now... the world of the electron and the swich, the beauty of the baud,
We make use of a service already exeisting without paying for what could be dirt-cheep if it
was'nt run by profofiteering gluttons, and you call us cricriminal. We explore... and you call
us criminals. We seek after knowledge... and you call us criminals. We exist without skin
colo, without nationlity, without rrligious bias... and you call us crimnals. You build
atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe
it's for our own good, yet we're the criminals. yes, I am a criminal.
My crime is that of curiosity. my crime is that of judginfg people by what thy say and think,
not what they look like. my crime is that of outmarting you, something that you will
never forgive me for.
I am a hacker, and this is my manifasto.
you may stop this individul, but you can't stop us all... after all, we're all alike.


The Conscience of a Hacker, The Mentor, January 8, 1986, 
http://www.phrack.org/issues.html?issue=7$id=3#article 

So you can build a key from the differences but how? That's the most difficult part (as there are many different way to do it). As there is no natural way to generate a key, I decided to go for a long key that can be read easily from the original text. To build back the key from original to modified you can use word diff and use your favorite GNU tools for word diff. We just discarded the punctuation and we didn't care about the case sensitivity.

wdiff -i -3 original.txt modified.txt | egrep -o "(\[-(.*)-\])" | sed -e "s/-//g" | sed -e "s/\[//g" | sed -e "s/\]//" | sed -e "s/\.$//g" | sed -e "s/,//g" 
| sed ':a;N;$!ba;s/\n//g'

The key to decrypt the message generated from the above wdiff is the following:

switchbaudexistingdirtcheapwasn'tprofiteeringcriminalscolornationalityreligiouscriminalsjudgingtheyoutsmartingmanifestoindividualhttp://www.phrack.org/issues.html?issue=7&id=3#article

and to decrypt the message, you'll need to use OpenSSL? in the following way used the guessed parameters:

openssl enc -d -a -bf -in encrypted.txt -out decrypted.txt 

and the original decrypted message is:

I'm Beer Scrunchie and I'm the author or co-author of various block ciphers, pseudo-random number generators and stream ciphers.

In 2012, there will be two major events: the proclamation of a winner for the NIST hash function competition and probably the hack.lu 2012 infosec conference
.

I hope that my Skein hash function will be the winner.

If you are reading this text and be the first to submit to tvtc@hack.lu, you just won a hack.lu ticket for next year. If I'm winning the NIST competition wit
h my hashing function,
you'll get a second free ticket...

Bruce

I got one correct answer 5 days after the conference showing that the difficulty to get back the key was bound to the uncertainty of the key generation. Next year, it's possible that we make a multi-stage t-shirt challenge for hack.lu 2012… from something more easy to something very difficult.

Tags: crypto infosec ctf conference hacklu

Syndicated 2011-10-02 11:48:07 from AdulauWikiDiary: RecentChanges