Image of the glider from the Game of Life by John Conway
Skip to content

{ Category Archives } Security

Sufficient Paranoia

With all the recent revelations about the NSA violating United States citizen's 4th amendment rights with their warrantless wiretapping, and now the news of Silk Road being taken down, and the NSA trying to crack Tor (it won't happen- I trust the mathematics), I thought now would be a good time to discuss the concept […]

Identification Versus Authentication

Recently, Apple announced and released the iPhone 5S. Part of the hardware specifications on the phone is a new fingerprint scanner, coupled with their TouchID software. Immediately upon the announcement, I wondered how they would utilize the fingerprint. It is unfortunate, but not surprising, that they are using your fingerprint incorrectly. To understand how, we […]

The NSA and Number Stations- An Historical Perspective

With all the latest news about PRISM and the United States government violating citizen's 4th amendment rights, I figured I would throw in a blog post about it. However, I'm not going to add anything really new about how to subvert the warantless government spying. Instead, I figured I would throw in an historical perspective […]

OpenSSH Keys and The Drunken Bishop

Introduction Have you ever wondered what the "randomart" or "visual fingerprint" is all about when creating OpenSSH keys or connecting to OpenSSH servers? Surely, you've seen them. When generating a key on OpenSSH version 5.1 or later, you will see something like this: $ ssh-keygen -f test-rsa Generating public/private rsa key pair. Enter passphrase (empty […]

Strengthen Your Private Encrypted SSH Keys

Recently, on Hacker News, a post came through about improving the security of your encrypted private OpenSSH keys. I want to re-blog that post here (I'm actually jealous he blogged it first), in my own words, and provide a script at the end that will automate the process for you. First off, Martin goes into […]

Password Attacks, Part III- The Combination Attack

Introduction It's important to understand that most of the password attacks to offline databases where only hashes are stored are extensions of either the brute force attack or the dictionary attack, or a hybrid combination of both. There isn't really anything new outside of those two basic attacks. The combination attack is one such attack […]

Password Attacks, Part II - The Dictionary Attack

Introduction Before we start delving into the obscure attacks, it probably makes the most sense to get introduced to the most common attacks. The dictionary attack is one such attack. Previously we talked about the brute force attack, which is highly ineffective, and exceptionally slow and expensive to maintain. Here, we'll introduce a much more […]

Password Attacks, Part I - The Brute Force Attack

Introduction For those who follow my blog know I have blogged about password security in the past. No matter how you spin it, no matter how you argue it, no matter what your opinions are on password security. If you don't think entropy matters, think again. Entropy is everything. Now, I've blogged about entropy from […]

Create Your Own Graphical Web Of Trust- Updated

A couple years ago, I wrote about how you can create a graphical representation of your OpenPGP Web of Trust. It's funny how I've been keeping mine up-to-date for these past couple years as I attend keysigning parties, without really thinking about what it looks like. Well, I recently returned from the SCaLE 11x conference, […]

Two Weeks With The Yubikey

It's now been a full two weeks since I purchased my Yubikey and have been using it. The goal was to have a security token that I could use as a form of two-factor authentication for most if not all of my accounts. After two weeks of use, I figured I would write about it, […]

The Yubikey

I'm absolutely pedantic about password security with every one of my accounts. A couple of years ago, I watched as friends and family members seemed to have their Google, Twitter, Facebook or other accounts compromised. In every case, it was because they were using a weak password, and they knew it. I resolved to make […]

Announcing Hundun

Per my last post, I decided to setup an entropy server that the community could use. So, I've done just that. That server uses 5 entropy keys from Simtec Electronics in the U.K. as its hardware true random number generators. It hands out high quality randomness for the most critical cryptographic applications. The purpose, is […]

The Entropy Server

With my last post about the entropy key hardware true random number generator (TRNG), I was curious if I could set this up as a server. Basically, bind to a port that spits out true random bits over the internet, and allow clients to connect to it to fill their own entropy pools. One of […]

The Entropy Key

Recently, I purchased 5 entropy keys from They are hardware true random number generators using reverse bias P-N junctions. Basically, they time when electrons jump a depeltion zone in the junction, where a voltage is applied to the point of near breakdown. Basically, taking advantage of the random characteristics of quantum mechanics. There are […]

Haveged Continued

I noticed that on my machine, my entropy was staying high, then falling off. Then, at what appeared to be some arbitrary point, it would fill back up, in a very periodic manner. This is, of course, after running haveged in the background. Curious, I started looking into it. It took a while to find. […]