May 5, 2017
On Thursday of this week (May 4, 2017) I released a mail client. It's pretty humble, but I've been using it for a decade and so it was worth it to me to iron out a handful of bugs and make it good enough for other people to use. Currently it won't be much use to you if you run Windows, Mac OSX, don't run your own mail server, or don't understand what fetchmail is*. But those things are fixable and I intend to fix them in the months to come. That means this blog post doesn't have to cater to end users, so I won't attempt to. This blog post will be about how I came to write a mail client and why it makes sense in 2017.
* The wording of that sentence was pretty bad so I'll reverse it. BikeIM-0.5 is usable to you if you run Postfix, if you run Dovecot, if you run OpenSMTPD, if you run fetchmail, if you use GnuPG, if you use Mutt, if you run Linux or *BSD, if you use Git, and understand how to report bugs.Read more »
Nov 3, 2016
I spent a little time in the past week porting one of my blogs to Python using Django. If the website looks similar to these four blogs, it's because they are all the same codebase with a handful of tweaks to make it possible to unify them with my other blogs and journals. While they aren't all ported yet, I thought I'd write a quick blog to explain things. For a decade and a half, I've been blogging on a PHP website I wrote in 2002 for Javantea's Fate and improved over time. In 2011, I wrote a blog in Python with Django for my trip to Brasil. When I went to Mexico, I copied the blog and created a second database. When I bought j4va.com for fun and profit (not really), I first put up a copy of java.com with some interesting things in its place. Then when I wanted to turn it into a blog, I copied the Brasil blog and made a third database. Now that I finally want to unify my blogs, it makes perfect sense to simply use the same thing, but copy all the data from the all the blogs into a single database. It's so well-written, that I didn't really need a really bad intro page anymore. So now AltSci.com goes to that unified blog interface. There's a lot of logic that makes it happen, but I'll leave that unsaid.
Of all my travels, only one trip is not available on my unified blog. I decided to use MediaWiki for my Europe Blog and spammers destroyed that blog, so I don't have easy access to the data. Eventually I'll grab the data and post it to this blog. For now, the pictures and videos will do. You have to click on the videos to get them.Read more »
Dec 21, 2015
A certain game reminded me of a cryptography trick that I learned years ago and haven't had the opportunity to share. First, let's talk substitution ciphers. I'll give two challenges, one with spaces and one without.
GZKH YOQU TKP QY QB BKOB Q OATOPY KOWE BZ TXQBE O AZHF QHBXZUSCBQZH TKEHEWEX QV BXPQHF BZ ENJAOQH YZVEBKQHF YQVJAE COHB JEZJAE GSYB YBOXB XEOUQHF TKEXE VP VQHU YBOXBY TXQBQHF
PKCCAMSVCNSLADUYDUCLQUFDTCAFZSGDPFNTFSCCNXSTFKGDTXADUMM SKLSMPODUCLXSFVKPFFZSJNMPFVKMKXMKVZXNISFZSMSPFDJFZSODMC LKYZKTYSOMNFSKJSOPSTFSTYSPFDLSPYMNQSOZKFADUKMSOMNFNTXKQ DUFJNMPFBDZT
The trick for the first one is to look at the list of possible two-letter words. Here is the top 101 words in order of occurrence in AI3.
There are plenty of two letter words in both challenges, so it should be fairly straightforward how to solve those. Once you've tried values for the two letter words, see what substituting the rest of the characters does to other words. You might find obvious words. If you have a dictionary on your system, you can use grep to find a word automatically. If you have the AI3 wordlist, you automatically get the results in order of likeliness which improves the search many times. It also contains words that a normal dictionary doesn't have.Read more »
April 8-10, 2015
In this very basic cryptography exercise, I have written a simple test of the quality of a cipher. For RC4 and stream ciphers, we can encrypt
\x00\x00\x00\x00 to get the first four bytes of the keystream. I do this for the first 1048576 keys (assuming big endian and 64-bit keys) with RC4. Then I find out how many random keys I have to try before I find the same first four keystream bytes. I do this 1024 times. The data shows that this is around 4 million keys.
For block ciphers like AES, we have to do it slightly differently, but the concept is the exact same. I encrypt "GET / HTTP/1.1\r\n" which happens to be 16 bytes, the exactly correct size to fit in a single block of AES plaintext. I store the first four bytes of the ciphertext for the first 1048576 keys (same assumption as above but 128-bit keys). Then I do the same with random keys and I compare the first four bytes of the ciphertext against the first four bytes of the 1048576 partial ciphertexts. I find out how many random keys I have to try before I find the same first four ciphertext bytes. I do this 1024 times. The data shows that this is around 3 million keys. As you can clearly see, this is far smaller than RC4 (which is known to be vulnerable to many attacks).Update
To test whether the problem is in AES or RC4, I used my system's random number generator (Linux /dev/urandom) to generate random bytes of keystream and tested how many attempts it would take to collide 1024 times. It took on the order of 4 million. This proves that the issue is either in AES or in RC4 and my system's random number generator. Since my system's random number generator is as good a source of entropy as I have, I must conclude that there is no issue with RC4 and that there is an issue with AES.Read more »