Today, I've had fun with Hookpad, to decipher a key change that messed with my brain in "Inori" from Fujikawa Chiai. Might share it on Theorytab in two weeks, my profile is too young to submit entries...
@cryptids a while ago i got a torrent where i got multiple seeds, 300% availability, and they seeded me like 50mb of a several gb torrent,, and then disappeared. that torrent still hasn't finished. idk why they don't like me :(
I reported an insecure DKIM key to Deutsche Telekom / T-Systems. They first asked me to further explain things (not sure why 'Here's your DKIM private key' needs more explanation, but whatever...). Then they told me it's out of scope for their bugbounty.
I guess then there's really no reason not to tell you: They have a 384 bit RSA DKIM key configured at: dkim._domainkey.t-systems.nl
384 bit RSA is... how shall I put it? I think 512 bit is the lowest RSA key size that was ever really used. 384 bit RSA is crackable in a few hours on a modern PC (using cado-nfs). The private key is: -----BEGIN RSA PRIVATE KEY----- MIHxAgEAAjEAtTliQYV2Xvx1OGkDyOL799BTFEuobY2dn2AgtiKCQgrh78NVK1JK j0yRXgNnPpGBAgMBAAECMF0t+TBZUCi8xATSMij7VLTxv5Xi5OIXesNiXOKtYIRP LkpYfR5PggaMScfbmqSssQIZAMwOhm9d7Y7Qi7I2j1AlYbiqdtqO54T7FQIZAONa 9dJFkC6lM3EPXR+0SZ4dqwwpiM0nvQIYYgz8thi5JK264ohq9sTvnu9yKvUN9I09 AhgfgMYZKcxtujRjkSZtMzUUNLYzzDmJe90CGDKwqcBI0v9ChaR8WHht+/chMdxj 7ez94w== -----END RSA PRIVATE KEY-----
You thought 384-bit was bad? I recently found a live, in daily use, 256-bit key in a, shall we say, large government entity that should know better (would rather not say much more publicly as its relevant to a paper under submission).
Do they accept mails from noncommercial mailservers at their nl branch or do they refuse them with "554 None/Bad Reputation" as the german branch does, unless the mail admin publishes full personal (!) contact infos on a webserver hosted on the smtp machine? Just asking, because THOSE guys behave like they wrote the SMTP RFCs all by themselves...
The TXT record is now "v=DKIM1; k=rsa; g=*; s=email; p=MEwwDQYJKoZIhvcNAQEBBQADOwAwOAIxALU5YkGFdl78dThpA8ji+/fQUxRLqG2NnZ9gILYigkIK4e/DVStSSo9MkV4DZz6RgQIDAQAB"
I really hope they generated a new key, and didn't just switch from publishing the private key to the corresponding public one...
@dragonfrog Most people might not be fluent in base64-encoded ASN.1, but a trained eye can see that it's the same key.
Hint: A sufficiently strong RSA key cannot possibly be that short, and you know it's a DER-encoded pubkey because it starts with "ME" and ends with "AQAB" (0x10001, common RSA public exponent)
@buherator I installed a MariaDB cluster backed set of PowerDNS servers for that exact reason! There were a couple of other reasons but that was what finally made me roll up my sleeves.
@buherator No, they thought they were generating an ECDSA key, for which a 256 or 384 bit would be strong. But, they didn't provide the right arguments, and wound up with RSA. I think the OP posted the private key that they were able to crack trivially.
384-bit RSA is a ~116-digit decimal number. You know it's insecure, because factoring special long decimal numbers of cultural or meme significance has been a niche hobby since the year 2000 by Makoto Kamada, among others. We were the main users of these crypto tools when nobody was cracking any keys. The factored numbers typically have ~200 to 300 digits. I personally factored the number 23333....333333 (203 digits) in 2018 using GGNFS-0.77.1 + msieve 1.51 after running it for 254 hours, the answer was 13249578499 x 141923698309 x 341814137379262820703619531241772438672418960504220543 x 36301935597796613387875174789602896631621794317547997731884133406295200433460476448871588607865425544775288572131035081371416741.
They are not open source. They are restrictive source-available licenses dressed up with “open” language.
Reading the code is not enough. If users cannot freely run, use, or build on the software because of field-of-use or competition restrictions, the software is not open source.
Marketing it as “open source” or even putting “open” in your name is misleading twice: first in the license, then in the messaging.
And it's made worse by the fact that BSL as an identifier is actually describing another license (boost software license, OSI approved), which is why the Business Source License has been given the SPDX ID BUSL.
More than once I had people coming to me saying that Business Source License isn't as issue because BSL is marked as OSI approved on the SPDX license list 🙄
You know that “stop forcing AI into fucking everything” graphic that went around on here?
I bought the t-shirt. I get a lot of compliments on it.
The only negative response was from a friend who works for McKinsey. She read out the “everyone hates it” and said, “do they really, though?” as we stood near the check-in table for an event, and three people in line turned around and said, “YES!”
Dis moi Masto, tu as déjà candidaté à des marchés public et utilisé le système de certificat-électronique-à-la-con en étant sous Linux ? À priori il y aurait des soucis sous linux (certificat sur clef usb😱 ), et comme le certificat est payant autant savoir avant d'acheter...
Pas de souci de lecture sous Ubuntu des certificats Chambersign RGS** sur clé USB de notre côté (mais il faut lire la doc de Chambersign pour installer ce qu'il faut).
Des problèmes avec iParapheur de Libriciel (signature électronique avec ces mêmes certificats) en revanche, mais c'est le logiciel qui pêche malheureusement.
On ne peut pas signer sous Ubuntu avec iParapheur de Libriciel.
C'est même la raison pour laquelle la Maire, qui souhaitait passer sous Linux, est toujours sous Windows. Nous leur en avons parlé, nous leur avons écrit : rien. Pas de réponse.
@nicolasvivant @vianneybarbin le passthrough usb dans virtualbox fontionne pas si mal. et c'est une solution plus réaliste qu'un editeur qui ecouterait ses clients. autre avantage: La VM est facile a transporter d'un poste a l'autre et peut etre restauree dans son etat initial.
Les deux qui font la paire. Pour la semaine de lancement du livre de Francesca Musiani "La politique dans les réseaux" sur cfeditions.com emportez en plus "Cyberstructure" de Stéphane Bortzmeyer. 15% de remise jusqu'au 13 février (41 € au lieu de 48 €)
In other news, F4FXL has sent a PR to MMDVMHost, such that D-Star repeaters can finally support DV Fast data transparency. github.com/g4klx/MMDVMHost/pul…
The media in this post is not displayed to visitors. To view it, please go to the original post.
The little Meshtastic node inside of my ThinkPad T420s is surprisingly good (one of the antennas measured quite well for the frequencies used, so I wired it in. I assume it was meant for GNSS? Or UMTS?).
The PCB is a quick custom design I whipped up in EasyEDA to connect an ESP32-S3 with an SX1262 radio chip. It uses the USB pins of the MiniPCIe slot originally intended for a WWAN modem in this laptop :3
@Infoseepage Heh. Yeah this one was locked down. I had to flash a modified bios on and also then flashed a stripped down Intel ME firmware for good measure.
@JustinDerrick @KayOhtie Those little resistors/capacitors were a bit annoying but honestly it wasn't too bad I screwed up one of them because it was my first time soldering small castellations, but the second one is the one you see in that picture. Done with a small and a big soldering iron and lots of flux.
You could prolly ask your favorite PCB maker to assemble it for you given it only has components on a single side so it should be quite cheap as well as an option
The media in this post is not displayed to visitors. To view it, please go to the original post.
Sure thing. I used EasyEDA (Std) to design it. It seems KiCad can import it quite successfully as well via "Import Non-KiCad Project -> EasyEDA (JLCEDA) Std Backup" and then pointing it at this ZIP.
Also, this whole repo which adds support to meshtastic for my PCB (just defines the pinout pretty much): github.com/Doridian/meshtastic…
The only non-obvious thing about the PCB design: You need to bridge either +3V3 or +3V3AUX to VCC on "H2" (+3V3AUX is powered during standby on some laptops, +3V3 is never, hence the option)
One thing I realized I forgot: If you do end up ordering this, or making one: MiniPCIe cards require a non-default height. I think it was 1.0mm total PCB height, but do cross-check me on that.
The media in this post is not displayed to visitors. To view it, please go to the original post.
Aha. Thanks. OK. I did not realise they can be ordered. I must confess I tried the easyEDA route and installing the software was not possible in view of the provenance of the code and the non FOSSness of it so I could not check it out. I used the online site and your kindly provided zip of the pcb data. I am hoping to go via kicad but got the fright of my life about how that works. I think I need to go back to baby steps. The site seems not to have the parts BTW.
@adingbatponder Yeah, I did solder the PCB myself, don't know if anyone sells the Core1262 for pre-assmbly. But the rest is fairly standard components.
If you do end up obtaining one of these, make sure it is the right Core1262 (HF or LF, depends on your jurisdiction, US is HF, EU I think would be LF)
I used my LiteVNA to measure all the antennas in this laptop. One of them measured alright in the 915MHz band. I assume because it happens to also be used for whatever that antenna was designed for (this laptop had optional 3G/UMTS and GPS support, so the antenna was made for either of those I guess)
@liv I doubt you'd be able to fit these two modules into the expansion card slot. However, someone else made an expansion card PCB prototype (and some PCBs from it) that does work: gitlab.com/SillieWous/Framewor…
If you want to make your own, I'd base off of this, but change the MCU to like an RP2040 or RP2350, something that can run the full FW unlike the MCP2210 (even though the MCP2210 can work if you run the Meshtastic portduino firmware or similar)
Power-wise, 5V1A easily, I'd suspect it fits within the 500mA envelope just fine as well (especially given the ESP32 doesn't need to turn the WiFi hardware on, only Bluetooth if any wireless at all).
#Google trips over its own words, when they sell you #Android it's the best computing device in the world that does everything. After you bought it Google doesn't let you do anything *you* want to.
#Sideload is a made-up term. Putting software on your computer is simply called “installing”, regardless of whether that computer is in your pocket or on your desk.
What Do You Talk About When You Talk About Sideloading?
We recently published a blog post with our reaction to the new Google Developer Program and how it impacts your freedom to use the devices that you own in th...
heresy! The 68030 wore it better! . . . Which is another way of saying “this is very cool”, and “could you please make a 68030 or 68040 of it?” (No 68LC040, please.)
pam_bcpasswd lives! (^o^) Now you'll be able to avoid transmitting your password in clear text over the air, especially useful if you have a backup access over AX.25. I need to check if I can use it directly with axspawn during the initial authentication... Sources to be published once the debian package can be built. I've got a few ideas for secure password rotation (using OPAQUE) and to implement a 3-way alternative of SCRAM to provide mutual authentication :3c
It works like the original challenge-md5 mechanism in axspawn: it issues a random challenge (size adjusted to provide better randomness), and then checks that ascii-hex(md5(concat(challenge,password))) matches.
In terms of security, this is far from being perfect (which is why I'm hoping to replace it by SCRAM in the long run), but at least it's better than cleartext password or baycom authentication, for now.
I may be a sinner for building a Layer 7 HTTP accelerator for constrained ham channels, but I never wrote (and will never write) a Network/Port Adress Translator there are limits to a lack of decency 😸
A REQUEST: If you own a French CD-ROM computer game called "Pop Anim'", please let me know. I could use it for some research but haven't been able to find a circulating copy yet. (It's at the BnF but I can't get there right now.)
C'est un rapport factuel, donc qui contient les données techniques. L'analyse de l'origine sera publiée dans le rapport qui devrait sortir dans 4 mois environ.
TIFO axspawn (the linux utility to handle incoming AX.25 connections) has a built-in inline compression feature (your client needs to send "//COMP ON\n" once the LAPB bearer is established. Axspawn then sends "\rCOMP 1\r" and turns on huffman compression).
Currently working on an ALS162 time receiver. Getting my paws on NF C 90-002 really helped to think of an easier strategy to acquire and sync with the signal.
Turns out this signal is a 40Bd 3-state TCM.
First step, however, is to write a stub that will generate a baseband clone of the signal. For now I'm able to generate a static frame. The scrambler is implemented, and I'm working on the CRC-13.
Honestly, the choices that were made are quite elegant, imho: out of 9 phase transitions, you can recover up to 4 bits in 4 cases, more than 1 bit for 4 others, and the last, which is the XOR of the 3 previous bits. This means you can recover erasures in many cases ✨💜✨
- Thunderstorms depends on it to grow. - It juts out into the sea, watching waves crash below. - You won’t find it on common folk, but legends let it billow.
polprog68k
in reply to isithran • • •isithran likes this.