Article on PacketFence
51 days ago
My article on PacketFence was published today in the last issue of (IN)SECURE Magazine.
It’s quite technical and it is all new material.
Go ahead, read it and give me feedback!
Cheers!
— Olivier Bilodeau
Here's what really happened at RSA
136 days ago
I originally posted this late at night to a local security group. Then I thought it was funny and worth translating and sharing on my blog.
Note: Nothing in here is based on actual evidence. This is just an exercise for fun.
As I write this, everyone is getting their RSA tokens replaced. They think they are getting new ones because their old ones were compromised but what if things are not exactly as they look?
Here’s what happened: RSA was not keeping their seeds for the tokens. Because, after all, they didn’t need the seeds. Once the token’s seed database was delivered to their customers, they diligently deleted the seeds they had. It was the most secure thing they could do.
Sometime later, the NSA1 knocked at their door saying: “We would like to have all the seeds for your tokens in exchange for a sh*tload of money. You see our old usual win32 0-days aren’t cutting it anymore.. With the seeds we would be in way better shape to attack the people who are a threat to our nation.”
RSA replied: No but not because we don’t want to, because we can’t.. We never kept them, the most secure thing we could do for our customers was not to keep them.
Then it got into an RSA sales guy and/or C-level manager’s ear. They mandated their best technical people to it and they came up with a plan:
“Let’s do a big ‘we got owned’ fiasco story and tell all of our customers that we need to give them new tokens because the old ones aren’t safe anymore. But this time, we keep the seeds!”
NSA is happy. RSA is happy. USA is happy.
And of course, this is not what really happened.
1 RSA, NSA only one letter difference.. ;)
— Olivier Bilodeau
Tomdroid 0.5.0
140 days ago
I released Tomdroid 0.5.0 earlier this week and I’ve heard no big complains that it ruined someone’s life. Here’s the announcement.
I’ll spare you the details but as you can see, it sports a new icon.
And here are some screenshots: 
Enjoy!
— Olivier Bilodeau
Hackus: three days of intense hacking challenges
278 days ago
Just a quick post to say that I had a blast at the last Hackus. The whole competition was organized top-notch and the challenges gave us more to do than we had time for.
First, I’ve got to say that I always preferred the CTFs where we are all together than the ones that we do over the Internet so, Hackus being one of the former category, its a plus for them.
Then, the challenges, there was: a forensic challenge who quickly turned out into a twisted defensive / offensive CTF, Java reverse-engineering, Web exploitation, service exploitation oriented CTF, Web Application Firewall Evasion challenges, a very interesting and twisted social-engineering challenge with live actors and unexpected illegitimate access to hardware, cryptography, a handful of networking challenges with an unexpected IPv6 appearance (and we are sooo not ready!), general puzzle-solving, geek/hacker/cracker knowledge, hacker jeopardy, steganography, parties with DJs and more that I forget.
The organizers really outdid themselves: There was a lot of stuff covered, it was tremendously hard (keep in mind its all volunteer work!) and their infrastructure hosted all of this without even a wink. An all-across-the-board succes!
The networking challenges were especially welcomed from me since they are quite hard to set-up infrastructure-wise, never seen on CTFs over the Internet and are, in my opinion, quite important and often overlooked.
Finally, I guess the fact that we won probably also weighted in the fact that I enjoyed the event. That said, the competition has been very fierce until the end. Our team, Amish Security, had the chance of combining a lot of diverging abilities and talents into a cohesive team. Let me name drop here: Guillaume Germain, Gabriel Tremblay, François Proulx, Laurent Desaulniers, Pierre-Marc Bureau, Joan Calvet, Benjamin Vanheuverzwijn. All awesome, hard-working and talented people!
I also organized the Hacker Jeopardy portion of the event, which will have its own post.
I said short post at the beginning, I know, sorry about that..
Pictures by Rémi Menegon used in accordance to the CC license
— Olivier Bilodeau
functional perl code for fun
366 days ago
I have no formal functional programming training but being curious I’ve always paid attention to it.
Lately I was designing an API for a Perl module I’m about to release. I wanted to share how elegant the functional approach is compared to an iterative one.
The context: I’m building a module that implements a very weak cipher where each character of a string is rotated according to a formula that I wanted the user to control.
A naive approach would look like:
positional_rot_linear( $string, $m, $b );
with m and b of the y = mx + b fame. What about quadratic? For completeness I would need a:
positional_rot_quadratic( $string, $a, $b, $c );
with f(x) = ax^2+bx+c. But now, what about the fibonacci sequence or your own favorite sequence? Well, I would need a custom sequence that would provide an array of rotation indexes:
# fibonacci numbers @rotations = ( 0, 1, 1, 2, 3, 5, 8, 13 ); positional_rot( $string, @rotations );
Here’s where the fun start. Why not delegate the control of the sequence entirely to the API user? We can do this if we accept as a parameter a function with a particular contract. For example, one where we provide the position and that would return the rotate value.
$linear_3x = sub { my $pos = shift; return (3 * $pos); }; positional_rot( $string, $linear_3x );
Or, more compactly with an anonymous function and without the temporary value:
positional_rot( $string, sub { return (3 * shift); } );
The user then providing code is able to do pretty much what he wants!
# quadratic 5x^2 + 2x + 12 sub { my $pos = shift; return (5 * $pos**2 + 2 * $pos + 12); } # rot13 sub { return 13; }
This actually reminds me of Java. I would have needed to set my method to expect an object of a certain interface and then create an implementation of that interface that suited my need. With Perl no need for all of that but you lose the static typing goodness, which tend to make errors happen at run time instead of compile time.
But that’s a whole other topic..
— Olivier Bilodeau