gusted - Network

cryptographyMe: Sees a new eprint paper on iacr that describes a new AEAD with reasonably good properties, more importantly it uses...

cryptography

Me: Sees a new eprint paper on iacr that describes a new AEAD with reasonably good properties, more importantly it uses widely-available cryptography primitives.

Paper: Yes, we have source code, check the supplementary material appendix.

Paper: No source code in the supplementary material.

Me: Still trying to implement the AEAD from the specification in the paper, but ambiguity in the wording and lack of implementation details makes it difficult to actually implement it from the paper and even impossible if implemented correctly.

*2 weeks later*

IACR: Hello, new revision of this paper. Now with a link to the source code on Github!

Github project: No licence.

Me: Trying to stay sane, merely wants to implement a new AEAD.

The story of https://github.com/MichielVerbauwhede/ChaCha20-Poly1305-PSIV/issues/1

@fnetX and ashimokawa are still confused that I actually exist.

@fnetX and ashimokawa are still confused that I actually exist.

@linus yup, a penguin.

@linus yup, a penguin.

@shebang and @domi invested money into Forgejo LLM. (I am pretty sure I got bribed without knowing it)

@shebang and @domi invested money into Forgejo LLM. (I am pretty sure I got bribed without knowing it)

@n0toose is still in shock of meeting me.

@n0toose is still in shock of meeting me.

I have met way too many awesome people at fosdem today.#fosdem

I have met way too many awesome people at fosdem today.

#fosdem

In case you are interested in checking* if your Go project that uses an x/crypto/ssh server is vulnerable to CVE-2024-45337...

In case you are interested in checking* if your Go project that uses an x/crypto/ssh server is vulnerable to CVE-2024-45337 (https://pkg.go.dev/vuln/GO-2024-3321), I wrote a small Go tool to exploit this: https://codeberg.org/Gusted/CVE-2024-45337

* This is not automated; you would need to check if the spoofing actually worked depending on the output you received.

#CVE_2024_45337 #go #exploit

I've written another Linux kernel module (my second one, and counting) for the YubiKey 5. It acts as a driver for the yubikey, so it can...

I've written another Linux kernel module (my second one, and counting) for the YubiKey 5. It acts as a driver for the yubikey, so it can be used as a hardware RNG provider for the Linux kernel. It uses the OpenPGP application that's available on the yubikey to generate random bytes, which are then mixed into the entropy pool of the kernel. It also automatically mixes new generated bytes into the pool after the kernel reseeds (behavior of the hw_random framework). Now you can even feel more secure about using /dev/(u)random.

Source code: https://codeberg.org/Gusted/yk5-random

For, what I assume, security reasons, the yubikey's LED stays on because the driver uses the CCID interface, which is quite distracting.

#security #yubikey

Oh no! a wild security feature for @forgejo has appeared that even Github doesn't have!...

Oh no! a wild security feature for @forgejo has appeared that even Github doesn't have! https://codeberg.org/forgejo/forgejo/pulls/4662

#forgejo

Of all the audio formats, I did not expect FLAC to be the one that can have different sample rates between audio frames. FWIW: VLC did not...

Of all the audio formats, I did not expect FLAC to be the one that can have different sample rates between audio frames. FWIW: VLC did not expect this either because it stops playing when the sample rate changes mpv does handle this correctly, although it falsely advertises that the audio file has a total duration (which it does not).

After long delaying to pursue more advanced assembly coding, I finally hit the nail on the head and understood and used AVX(2) instructions...

After long delaying to pursue more advanced assembly coding, I finally hit the nail on the head and understood and used AVX(2) instructions and made a crypto primitive 8 times faster than it was implemented in Go. No AVX512 yet, because I don't have a recent CPU for that :/ Really wild to think differently about how data is passed and how to deal with it with vector instructions. There's no rotate instruction, so you have to implement that yourself D:

Timezones are funky, but they are full of useful information! This will be a nice addition,...

Timezones are funky, but they are full of useful information! This will be a nice addition, https://time.gusted.xyz/Canada/Newfoundland

#timezones

That's on official record, @Codeberg approves the deprecation of Microsoft SQL Server in...

That's on official record, @Codeberg approves the deprecation of Microsoft SQL Server in #forgejo

https://codeberg.org/forgejo/forgejo/pulls/3041#issuecomment-1733802 (don't look too close at me forgetting to make the PR against the stable branch)

Forgot to add, couldn't find any open source alternatives. Hence why I spend time on this.

Forgot to add, couldn't find any open source alternatives. Hence why I spend time on this.

It feels so simple, yet I spent several days on it and surprisingly learned a lot of time-related things (not just synchronization). I feel...

It feels so simple, yet I spent several days on it and surprisingly learned a lot of time-related things (not just synchronization). I feel like adding more (perhaps caused by the proprietary alternatives out there), but I should also consider just leaving this very simple and not adding ridiculous (but cool) features.

https://time.gusted.xyz/

#go #timesynchronization #ntp

I've got to the point where I start writing more documentation than code when starting a new project. Which I find quite impressive as I...

I've got to the point where I start writing more documentation than code when starting a new project. Which I find quite impressive as I already did so much writing the last few weeks 😞.

I did a key recovery byte-by-byte by hand, I wasted 20 minutes of my time, but it was worth the time to break something. It involved a lot...

I did a key recovery byte-by-byte by hand, I wasted 20 minutes of my time, but it was worth the time to break something. It involved a lot of xor'ing. Guessing the next byte of the key based on a few ciphertexts that were encrypted with the key is harder than it looks. Simply checking that the decrypted values were ascii did not work, because there were too many false positives.

Just produced my own MD4 collision!m1:...

Just produced my own MD4 collision!

m1: a267a1fa9b30f28776cb51dbf54e6986a25acabd15d1bfe780288fa28bba6098a8e8997f6cd83b16275e7c6c782f6c6f80cc97095dcb7feb18ad341e0c2e914d

m2: a267a1fa9b30f20776cb514bf54e6986a25acabd15d1bfe780288fa28bba6098a8e8997f6cd83b16275e7c6c782f6c6f80cc96095dcb7feb18ad341e0c2e914d

Yes there's a difference. (zero-indexed): 14, 22 and 101

Verify with https://emn178.github.io/online-tools/md4.html?input_type=hex

Interesting way to learn a new programming language by implementing a crypto cipher. The standard library was quite helpful to learn some...

Interesting way to learn a new programming language by implementing a crypto cipher. The standard library was quite helpful to learn some best practices.

https://codeberg.org/Gusted/hare-ascon

#hare #harelang #ascon

Context: this was the first story by the invited guest on the Deviant episode of the Darknet Diaries podcast.

Context: this was the first story by the invited guest on the Deviant episode of the Darknet Diaries podcast.