I am currently without a phone and would appreciate a speedy reply.

I have been a Verizon Wireless customer for over 5 years and my monthly bill easily averages over $200 during that time frame.  While I love your network, I have been completely unsatisfied by your selection of phones.  It is a stretch to say that my last phone worked—it had a feature called a battery that allowed me to switch from the car charger to my office charger without dying.  And I waited—under duress—until I was allowed to purchase a new phone with the discount.

My current phone has a wonderful battery life, but this is the 4th time the charger has snapped off in the phone.  The phone is fine, but I keep paying $30 for new chargers.  I refuse to purchase another or wait until February when I will be eligible for a new phone.  You sold a phone with a design flaw, and I’m not even asking for a refund or a free phone.  Just allow me to take a chance on a new one at the 2 year contract renewal rate. 

If not, I will gladly pay the early termination fee and leave Verizon.  On general principle, I will spend more money canceling my account with you than I would likely receive as a discount on a new phone.  As a customer, I consider it unacceptable that you sell inferior phones and leave me with no recourse.

The first time I waited haplessly to become eligible for a new phone.  I will not suffer a second time.  If you don’t like the fact that you will end up losing money by allowing me to purchase a new phone early, I suggest you take it up your vendors who supply you with awful products.  I can promise you that we will both lose more money if you don’t.

Sincerely,

Eric Marvets

The videos I did were part of the “How Do I” series, and not exactly the place to explain why it was appropriate to use SHA1.  But for those of you looking to understand the why behind the example, I’ll take a few minutes to explain it.

What exactly is SHA1?

SHA1 is a hashing algorithm, also known as a one way function.  A one way function is where given any value of x, it is easy to find f(x), but given f(x) it is unrealistic to find x.  One way functions allow us to take a ‘fingerprint’ of data without storing the data itself. In a password scheme, instead of storing a user’s password (x) we instead store a hash of the password (f(x)).  Later when the user wants to login, he again supplies a password which we hash and compare against our stored value.

It’s also useful for ensuring the integrity of data.  When a message is sent over an unsecured channel, a hash of the message can also be used to check the message once it reaches its destination.  If the message does not match the hash, then we assume it was modified in transit.

Designed Strength of SHA1

When we hash data, the range of values for x is infinite.  The hash on the other hand is a fixed size.  Therefore, for each value in the range of our hash, there are an infinite number of possible values for x. 

This range of possible values determines the odds of guessing a value x to match a known value f(x).  If the size of the hash value was 2¹, there would be a 50/50 chance that the valued guessed would match our known f(x).  That’s why SHA1 utilizes a very large hash size of 2160.  To put that in perspective, the Earth is composed of 2170 atoms.  It’s computationally unrealistic that anyone would be able to beat those one in 2160 odds to find a value x which matches our known value f(x) (with today’s technology).

The Birthday Paradox

Some of you may be asking yourself, “but I read on Wikipedia that SHA1 has a strength of 280?”  This is true, but to understand why, we will first look at the birthday paradox. 

How many people must be in a room before the odds are even that one of them shares your birthday? 

How many people must be in a room before the odds are even that two of them share the same birthday?

In the first question, we are looking to match a specific value, while in the second we were just looking for any 2 matches.  The answers are 253 and 23.  The reason for the difference is that between the 23 people, there are 253 unique combinations.  In one way functions, this is the difference between finding what we call a pre-image value versus a collision.

The reason we say the strength of SHA1 is 280, is because we are talking about finding collisions (any two values for x with the same f(x)).  When we are hashing passwords, we are asking the person logging in to match a specific f(x), and the strength of SHA1 in that situation would be 2160.

The Current Strength of SHA1

The analysis of SHA1 shows that collisions were found in 263.  It’s now becoming computationally feasible to find two values of x that match an f(x).  It’s still short of being probable that those two matches found would allow an attacker to compromise an encryption system, but the worry is that SHA1’s strength will continue to decline. 

Until the strength of SHA1 drops to 240, it is still a valid way to protect against pre-image attacks. 

Why Did I Choose SHA1?

In addition to SHA1 being secure in the example, there were a couple of other reasons I choose to use it instead of something like SHA256 (2256).  The first reason was that in the example, I was showing how to modify an existing application, by simply changing the value in the password field from a password to the base64 string representation of the hash, which is 28 characters in length (for SHA256, it would be 44 characters).  If the database allowed passwords that size, then it’s trivial to add support for hashing.

The other reason is that there are far easier ways of attacking a password field than targeting SHA1.  An offline dictionary attack against the users’ passwords is several orders of magnitude easier.  SHA1 protects the hash against brute force attacks.  It does nothing to protect a user who chooses a poor password.

A system is only as strong as its weakest link. 

-Eric Marvets

They give awards in the following categories:

·         Best Server-Side Bug

·         Best Client-Side Bug

·         Mass 0wnage

·         Most Innovative Research

·         Lamest Vendor Response

·         Most Overhyped Bug

·         Best Song

I thought about it for a minute, and decided I rather buy a new one rather than sit around and wait on them for two months.  First though, I looked around online for a fix and saw that quite a few people were having the same problem.  Everyone had an opinion on what the problem was and what to do about it, so I decided to do a couple of things: replace the thermal compound on the CPU and GPU and extend the fan shroud over the GPU using cardboard from a cereal box wrapped in aluminum foil and attached to the existing fan shroud.

That fix worked like a champ until today, when the rear fan on the GPU completely died.  I don’t know if it started to fail 2 days ago and finally quit, or if the fan controller is cutting the fan off intermittently.  I have a plan to fix it either way though.  I ordered a replacement Talismoon fan from llama.com and found a spot on the board to solder it to, which will circumvent the variable speed fan controller. 

The replacement fans are supposedly quitter, but they will be moving from a 5V variable speed controller to a 12V power source.  I hope it ends up with about the same noise profile, but at least I’ll have a functioning XBOX when Halo 3 is released in a few weeks.

It was perfect, on the other side of the tracks was the old highway (which I knew the hotel was on) running parallel to it.  I was almost back to the hotel when I noticed a Lexus lying very awkwardly in a ditch.  At first, I thought it was a runaway car that crashed.  It could only be seen from the tracks and I began to worry that someone might be in there and that no one had found them.  I was relieved to discover no one in the car, and came to the conclusion that it was probably stolen and ditched.  I decided to call 911 to let them know of its location, so the expensive car could be reclaimed.

I could not imagine that it would have taken 10 minutes for me to explain where I was, but it did.

The problem was I didn’t have an address.  All I knew was the exit number off the highway, the name of the hotel, and that I was 150 yards south of the building on a set of railroad tracks.  None of this information seemed good enough.  As I talked to her on the phone I was walking back to the hotel, and I finally gave her its address, and that seemed fit into their system.

It made me think of a situation that happened to a friend of mine in 2000.  An elderly woman made an improper left hand turn and he hit her doing close to 50 mph.  He called 911, told them he had been in an accident, the road he was on, and the building he was in front of.  The last thing he remembered before passing out was the operator telling him she needed an address. 

It wasn’t until another passerby called 911, that an ambulance finally arrived. 

The 911 system failed in both of these situations because it could not deal with what they deemed imperfect information.  The process needs to allow for partial information to be passed on in case the 911 operator cannot quickly and efficiently pin point a location.  I know our rescue services study and memorize their coverage area in order to respond as quickly as possible. 

If the 911 operator doesn’t know where the rail road tracks 150 yards south of the Holiday Inn on exit 11 off of I-85 is, I know the police, fire, or EMS workers will.

I changed the presentation slightly and am trying to turn it into a dnrTV episode with Cark Franklin (who will also be in attendance).  Hope to see you there.

-Eric Marvets

I plan on posting about explosives and how they were used in the terrorist attacks tomorrow, but in the mean time, I thought it would be fun to share some of the lessons I learned as a child through trial and error.  First off, a word of warning:   

Do not try any of this at home.  The experiments were done by an idiot.  None of it is legal.  I’m lucky to have my fingers and some of the hair I lost never grew back.  Scar tissue isn’t as strong as regular tissue.

I remember one of the first little experiments I did as a kid involved the lawn mower’s gas can.  Several attempts to use gasoline to replicate those awe inspiring car explosions from action movies failed time and time again.  The only result I could get was a simple fire that often proved difficult to put out. 

It’s kind of funny the safety controls I employed at age 12.  My love of danger was superseded by my desire to live and stay out of trouble.  For example, one of the first things I learned was remote detonation systems.  The first one I employed was a catapult, built from popsicle sticks, a metal spoon, and rubber bands which could launch a cotton ball soaked in alcohol 20 ft.  The catapult itself could even be operated remotely by using a piece of dental floss to release the firing pin.  The way I figured it, I could open a flame a safe distance from my explosive, run to my makeshift bomb shelter (a foxhole), launch the catapult, and wait for the explosion.  My ignition systems advanced over the years to electrical (steel wool, 9V batteries, and phone cord), 12 gauge shotgun shells minus the lead shot, and tracer rounds (regular bullets do nothing, you need an incendiary round). 

My experiments always started with small trial runs. The simple process I employed had numerous benefits, such as teaching me how to construct proper firebreaks, that gravel roads don’t burn but they do throw significant amounts of shrapnel, and why the military loves foxholes.

The first time I got an explosion occurred by accident.  I was very disappointed after another failed experiment.  As I sat there next to an empty gas can waiting for a fire to go out, I was playing with strike anywhere matches on the empty gas can when to my surprise it exploded and launched itself to the other side of the field.  I lost all the hair on my knuckles and had now had a mystery to solve.

I can’t imagine what my dad must have thought when I started asking all these questions, but he explained to me how a combustion engine works.  Either a carburetor or fuel injection systems mix gasoline with oxygen to form a gas which is ignited by a spark plug at specific intervals to propel a car.  He also explained that if a car’s gas tank could explode then it would not be safe to drive.  Without being properly mixed with an oxidant, gasoline does not detonate, but rather it deflagrates, or burns.

Experimenting with a car battery charger, a glass beaker, some balloons, and water was also a source of immense fun.  At the time, I hadn’t taken any chemistry classes and thought I was collecting pure hydrogen in my balloons.  In my mind, I was making mini-Hindenburg’s.  I would take them out to my fort and blow them up.  Those made some nice explosions.  It wasn’t until a later experiment that I learned I was collecting oxygen in addition to hydrogen through electrolysis.

That later experiment occurred when I discovered dad’s acetylene tanks (he’s a jeweler and has a torch for soldering). At first I was disappointed.  Balloons filled with only acetylene barely did anything.  But then I found that if I mixed in some pure oxygen from the other tank in a 2:1 ratio of oxygen to acetylene, you could produce an explosion with a shock wave that could be felt from 50 ft. away.  It literally sounded like a stick of TNT. 

Over the years I grew more and more brave.  I don’t know what my poor parents must have thought.  At age 15, I printed off an anarchist cookbook and unintentionally left before it was done printing.  The printer was simply out of paper, and later that night when dad put some more in, out popped a page on making napalm from gasoline and styrofoam.  They have also never asked me how the metal window screen in my room melted in one corner.  I don’t know how I would have told them it was due to a freak accident when I was making my first accurate time delay fuse using slow burning gunpowder, cardboard strips that were coiled and soaked in wax, and a tuna can.

Looking back at some of the stuff I did from age 10 to 16, I would have made an excellent engineer, scientist, or lawyer.  I built all kinds of things, always figured out how they worked, and argued my way out things that get people sent to Guantanamo :)

This all goes back to the simple fact that all DRM is based on encryption, and that it’s illogical to give someone the decryption key that is required to enable what the media industry views as authorized behavior (media playback) without expecting someone else to utilize that decryption key for other behavior, such as making Fair Use backups or sharing it on a P2P network. 

Encryption is defined as the science and study of secret writing.  What is it that the media industry is trying to keep secret?  While we may want I Now Pronounce You Chuck and Larry and Who’s Your Caddy to be some sort of secret internal referendum on the crap the entertainment industry regularly produces, we have to assume from their actions (theater release inevitably followed by mass DVD production) that they are proud of their works and wish to share them with the entire world.

They worried about piracy with VHS, and it turns out that may have in fact saved Disney and launched an entire consumer market for home video.  They worried about it with DVD’s, which have brought in billions of dollars to the media industry despite the fact that CSS was broken in 1999.  Their fear and illogical behavior impedes and irritates their consumers while having absolutely no effect on the spread of piracy (which they could easily defeat should they ever focus on the simple economics and technology of the pirating industry).

I would be happier if the media industry and the TSA were sadistic rather than incompetent.  It would be comical to see these two groups meeting for the first time over drinks trying to one up each other:

“We made a list comprised of thousands of names.  If you fly and your name is even remotely similar to one on the list, we do extra searches…every time you fly….over and over again.  The kicker is we let anyone with Photoshop and a printer board under any name they want.”

“Oh yeah, well we sell malleable $.05 pieces of plastic for $20 and when it gets scratched or stolen, we force them to buy a new one because we don’t allow them to make backups.  Even though anyone with technical skillz can download the same thing for free.”

“Oh yeah, well we found a way to make people who can’t even change at the gym without flip flops walk around barefoot in public.  We tell them we’re screening for bombs and they just go with it.  The terrorist can still strap whatever they need to their leg, just not their shoes.”

“We installed rootkits on people’s PC without their knowledge.”

 “We banned water and baby food.”

 “We sue the people who love our products the most.”

“We detain babies.”

“We…damn you!  Stop playing the baby card, that’s not fair!”

I still encourage you to send me comments via the contact form.  I will now edit posts to include any comments I receive.  If you need to send me a link, do not format it as HTML and leave off the “http://” (those message will get blocked).  I will format it correctly when it's posted.

Thanks,

Eric Marvets

During the presentation, we’ll quickly cover some high level encryption basics (asymmetric, symmetric, and one way hashes), but will spend most of our time dealing with symmetric encryption; namely how and why you configure a symmetric algorithm to encrypt the data (ECB vs. CBC).  By the end of the session, you’ll finally understand what an initialization vector (IV) is used for and the proper way to create and store it.

Don’t worry if you don’t understand what half of that meant.  I’ll be sure to explain everything as we go along. 

You can also find a fair amount of the content from the presentation here in an article I wrote a while back.