I thought I'd just write a few thoughts down and see where it goes. I'm having trouble writing down my thoughts. Apologies if I go too fast. I'm not in the mood to be patient.
First things first. I write a lot. My mother is a bibliophile. I am a scriptophile, I love to write. But I don't publish most of what I write. My graphic novel Javantea's Fate ground to a halt not long after it started, so I started a blog called "Making of JF" hoping to gain readership by writing keywords and drawing interesting things a few days per week. Years later very few pages of Javantea's Fate were finished, but 378 pages of Making of JF were done. That's a huge amount of writing. It was a very tough part of my life, so I'm glad that I have that corpus of writing to show what my mind was thinking. But I didn't post everything I wrote. The House MD episode "Private Lives" discussed a person who wrote down everything she was going through. I didn't do that back in 2001, but I was spending a few hours three days a week on it. I can't do that now because I signed a confidentiality contract with my previous employer and one of our clients. They went to bat for me and I owe them my current happy status but I also think that the past four years of not quite radio silence (comparatively) has warped my mind. Of course my mind was warped before I went to work in infosec, but the secrets I've kept have gnawed at me. It's the whole issue of doublethink straight from 1984. I am holding two contradicting truths to be true at the same time. Operational security is incredibly important, information should be made free. But information is power and with great power comes great responsibility. I am an irresponsible person. I don't believe in control.
Let's talk about control. There are more than a few theories on the human mind that talk about control and I'm not going to do them any justice explaining them right now. Let's say that my friend, let's call him Descartes for now says that human beings are incapable of moving. He's wrong, but let's say I'm so furious that I want to prove to him that human beings are capable of moving. So I tell him, if I am able to walk from my current position to one foot in front of you, then I can move and your statement is false. He replies, but how do you know you're moving and not changing my mind about what's going on? Occam's razor? Nope. Descartes isn't having it. So I think again. I am unable to reach out and touch you right now. If I am able to reach out and touch you, I must be able to move therefore your theory is wrong. Descartes is too smart for that. You can change my mind, so how do I know if you're actually touching me?
Read more »
This is a quick message to those who communicate with me over PGP or who verify my signatures, I am now using a new key and I am retiring (but not yet revoking) the old 1954fed2 key. Many things I have written are still signed with the old key and many software packages I wrote are signed by that key so it will remain secret hopefully for a year or two. The reason I'm changing keys is because the 1954fed2 key is 1024-bit El-Gamal and is 9 years old. How many keys are 9 years old? The longevity of my key probably has to do with my trust in El-Gamal and my distrust of RSA. Over the past few months I have factored a handful of weak RSA keys and I have done a little bit of cryptanalysis. There are many weaknesses in cryptographic keys and many weaknesses in the computer systems that protect them. We hope that we will avoid these and that our random number generators are strong enough to keep the NSA from reading our personal and business conversations that we choose to encrypt with PGP. We also hope that the NSA isn't able to sign malicious software with our keys or the keys of people we rely upon to provide us with software. But in all, we can only do so much and if RSA is broken or SHA-2 is broken, then we just have to deal with the consequences. Until we know better, we have to use the best judgement we have.
So now for the key. It's been signed by 1954fed2. The key id is CBA783EF. As always, only trust fingerprints or keys signed by keys you have checked the fingerprints for.
- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2 mQINBFR5XEwBEADZugzJdRuD2WROStTqK88UhMjEs+Y2CMrztHavacyJj7b299FB X3cj1pxU5IUV1NdMG4onKKl/VQja9GvIppZmfYI0z/eL6FnXOVq4CW4PlyKgotr+ 44XF7/BndyO7C5KpVEsnBFSlXExtFCranG7UTDqXGXXCnu6ZVUAJ79B2vN7soh8C KBpckYmrv7PSsMWeBC2wLcFJhESduL8gJhePleX3DEBhLLBjg1o8864y9Wpi/xeT F0oG5hTKlC0i9/hEkHqRbD5EzY+GJj3M9w/QXUAgaCg81NBXYpMTOlNEaMHY3i1g i9UdXyFsCMKMO7adYHBSnJqlr95lOOSov8qgNP5KvCv9KZodanaviN22MG8X/czb kLn8lZD8/Sc97yH9EbDENWUas/xd/DJapDDd1k+v9RzFTkKm+QXQIhdTIxwZBEM8 QZCMdIMlq/U8GNLzQE7k6MBcSzAzAepTeOuIFJYCy2tqiHOqUA1u7qwyDVUD/0tl GTRWTby1viNIBgdDn2rvwu7kmuzdjkH9S1f22filIr8M1rI3MAOBVXHgeHjuH5hn ZOKlvtpreM3hFCCdJantGi1m8MLUkCzfTjD4llWAVHZaJXqvxG+7S//5De3GmfDV 5SOWtv2r2CyZOEUvyEMq3u/dptGol+z9UNAw66ZtIxahluoKfNz2+nA5+QARAQAB tBxKYXZhbnRlYSA8amF2YW50ZWFAbmVnOS5vcmc+iQI/BBMBAgApBQJUeV5nAhsD BQkDwmcABwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQPGjI28ung+8cYxAA wnMx2TE1VksIdJseqvzWLatBo83Z1tmE/c+FKqLuSS7GobT+dw+jBupmS9n59jZi mHt1AZHzLmdANKL1iocM9dsvGhrhfl0irJB8fNCMnyIOwZXVjcR3dn4PJRtTVgwt juUDMu44+tK6yRe5InaDCvlIpljN2TClQXPHq19RZDLQwHSoR3xG7Meup8zQGj5T kbW6TSVqeFPA0bX3oexEuOvftx2ervn9Yk0C9wLMA117eYo3El+gyyAS7LgdwljM xALUWji1jMJLfw9d5SHd+bngbVYJNuw7y3ln6L20Kh0dQmmyMq40l4WbTQxz5wIZ ucIPFZdhMKrxfFAmNinlC9HOMRhLNS8PsgOShtK+n+c4+oW3nBb3/qdSgbeSjttQ jtt0r/G/NqjWMz9JQ40IZg9V0guYVYCy3HSxbVvmEPm1SCmWM1A89q6dImRbprH8 YesQwivKCR4CXQ9/7AmzGcpVrLDpS1XNufMjPCVF+6jOkldoOiWW7EBZ8bn0tCmj 7b4BjfBuKHa7FEnFK2X5ut+HUoKJR8CF3jxJTDmPeRKWdK2DQHs2ae2dV5SuYYBR IJbR2ubd0vxbGlrWmpl7anNYSBBOpphop1CC032RFc2aMQ5AWmFMyWFWchcbHtL+ Dnc1xinEd7d0OpWz49Svrk5RNUJfEYVDbeyd7ivfMeyIRgQQEQIABgUCVHzh6QAK CRCmZGsAGVT+0mSWAJ9P5onnzL/LaNCRSHGQ6uwhEJCVNgCfRw1kkTyix9+mE1O1 FtD4o9DlKHm0G0phdmFudGVhIDxqdm9zc0BhbHRzY2kuY29tPokCPwQTAQIAKQUC VHlcTAIbAwUJA8JnAAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEDxoyNvL p4PvrmUP/Rjbaxt5zu9dU23g8SQLBUXxsdgZXbu3pZvzu+lwd4fvky4mjPHdjxnl +FPHPDztP1lj0ctU6wRrYlSs5RgDVdiD29jDrVoR7pofu/LkJmdh8NtrWCXLDk0n nP04YuEmzNt17szjfV3UPdohDuTCP6OrPSpK9YAV2n9xgBdMwBhEKVX7YKvIPuru 7hi+Zd76QFLS5S+PKAnuiAolj0+nsVKz3epZnPKLnaXgTH0crFqrSdQxD6CUVplL EPn7C7IL0R8Ou6g7qUJd3itfk1JhWoo1zlD7Woc1O3QsIG4SwEsHH4K+XcFdl8sS lA79Qm5ACM7A2rJg24M4ckPB8gjscMXw5fEiHu6jeCHeu5ldjSSsNwzvPmDnC/XB LZoWBP5h3hw1YL5v34KTiE4iVieFd78b9BxHgN1nWuhE8iQIF1lHUVRL3+Sqai3q toIKnAs6x4rSYLEMgxhJ48vd/Xi+Zmu52sdKM/5ql9zxQG7Cd+uubBhJafKxetW4 5jr+L6OplB5inH0MZgw76QDDODMrE0JJsDlT6Tq4/NXT7q5LwJeqZ25AQ7HY4HHB BL6VfbLGNSBrrtkQeJEKSXd1FeILmcA6vH9cGzfm2lUAdnepxT3B6uEAwohUPq2x S+M153PDmqKsyylySWpgvn+4tK5HeQw6XbYXY3KX9SNYogWCLMIFiEYEEBECAAYF AlR84e4ACgkQpmRrABlU/tKAjACfX95rbycC39Kj97n1JCzPDONl050AoJ8HYnjl 2dZEeciqxDvW6o7ZkWc5uQINBFR5XEwBEADK5RhG0GGchvuW5CJVpLMgT9FpOcb8 QOgjS3ztkg7JzkCbZIljOAL0OeGbvLhgg1kqsU9vJPO3zdO29/uJvDNuCKNSwzA4 CY1ZPmFHVBRwhjKB6JzzFN3NgXPZu1f/EiC7/VACyhiRl9Rebsvc2LMUlCtV2PBg O9qXlI5i0tVLnT+a99urJyggsg2JK9T02G3ex+HlrF/91FCHYOhsGqeXWrMrRChM tSUos8o6yEW4sO6fJMqqw5/zHTG0v5VpM3MKQf4byphNCB89GxnsMOyDJzI8mQm7 Iwdmtdmv7vKjNdvB5NqHnMstfTwi0G5lbC+JsNLd2IrOCLTNgOPS3bjFsuLDizEV G6wWihUdKSbcrTs8IiULB9bICLYw5NRlVIwgTD6zUdAcqZhdEkbXqial01P6xzTC K6k+bvnaVQUnuv903KHvXmJ4ikOtnIzPE2htn4Z1wmzVaMk94CWKtImwpah9l92v piM75mMD/aBF465+nw87zxqolSFuYsL7gLLakW+Oa/CNPEGGNP3unjojPtzLwXL/ 1lLgF1crAjNk0VIT19NN9s7NKfCMjeVIpKmFzQC4pk0ozQdYYumnCE9lse9e0s8A TMJeIdn/s0E3y1XhbXDMM/R9RKWMRpnwqmPrWwoqqPFp5zbhL16lCW3I626HvpyT n4OE8Z6P5HHi4QARAQABiQIlBBgBAgAPBQJUeVxMAhsMBQkDwmcAAAoJEDxoyNvL p4PvUt4QALxZHsYgTsO19AGNMyH2RsZPHjapv6qoudkN8sHMwfliw2QSLuW5txcB aUkjwTW3U7oCA3VZvAAQNZl5qGBjI0eRCHTTy6HVEfthdFbnkfg/se/gPWsb5KBd uvGIVwI8OnGCP71vsNItca493/uGwEUsJHRvooEtznzX6k5gw/+Tq/5y9WKuCgXg MwlklOTSIYI1JrbGmI+OlBYijs2TLTaHc1VjGrwk4dBhtU+gUp5C1AcjrSUnqo9I zSaDazv4wbppYP61i/2HyqD0z2mdvddI42okOi6nff6f6rhsID6xODlKLSP/tnws dPHBYkAX31XxBNaiS1GOeaaBW/gO8Kuv5Wb+jTtAXpUVzY7yxWgC86VPstkOn487 Go8pFi4H/qYBZ7krgHZlsS+HjNHGX4bhyZOksKUKhvtqtVKYve1LRI49Q0ibCvt6 EsW5+zSilk2JIL7CSnU6E3IMkB5cpGo8EXbr9HsY6aDioWhjSfyTrKKeMPprhWbi mZBlGpSZpp0om72DOCsY8twdHguSDZZTsY4EUUpy19hgEPwYPlSHW95dzKFMsEid gKbNqhttXi/3j7cx2ecyYDdZeS6oraPaSMsT+PhGId0DiTHawlNlyjGm9D+awq3U G0tgUdIld+3srJDHuSYv0sw0MZezxef8+zXPJIO0EoOOps0q6qA8 =ua9y - -----END PGP PUBLIC KEY BLOCK-----
For those who are interested in the OpenPGP format. Here is a parsing of the above public key:
Read more »
Sept 15, 2013
The first vulnerability has been found in AltSci Crypto Mailing List. It took andrewx 13.5 hours from the posting of this blog to find a Django Security Bulletin posted today which is a denial of service via long passwords. After learning of this, I promptly upgraded Django on my server.
Javantea Out.
Read more »
Sept 14, 2013
The first post to AltSci Crypto Mailing List has been posted. Let's get to hacking.
For more information, check out the previous post about the AltSci Crypto Mailing List.
Read more »