Saturday, January 21, 2017

How some people are affected by Trump being elected President

From a response to someone on Facebook a couple of months ago, when a friend of mine suggested that the losing side get over their sour grapes and move on.

For them, it isn't sour grapes. It isn't that a particular candidate didn't win. It's that this specific one did, and what it means in context for them and their relationship to their community and country.

From their perspective, 25% of the electorate -- their friends, family, neighbors, and co-workers -- just used their vote to affirm that all of the things that he said he was for, and all of the things that he carefully didn't say that he was against -- all of it, not just selective parts of it, but the entire package -- are what they want in a leader. Further, they are afraid that what he himself said that he would do -- and from their perspective, these things were very different from most political bluster -- are things that he will actually do. Things targeting them because of something intrinsic to who they are.

They are also afraid of potential behavior that such an endorsement legitimizes. Civilization is a thinner layer than some people realize, and when people with varying levels of self-control and judgment also have a deep-seated fear of people different from themselves, it can only take a small nudge of tacit permission to pull that layer away. What others fear is that this vote will do that. And from some of the news coverage based on police reports, anecdotal stories that have surfaced in my own social feeds from people that I actually know, it appears that it has done so. I can tell you for sure, as a white male, that I have been in a room full of nothing but white males a couple of times in the past two days, and they seem more free to say certain things than they were last week. And when a young person observes how people comport themselves in "non-mixed company", they see it as an example of what older people think is socially acceptable to do. And some of them have poor judgment, and extrapolate that into a license to do more than those older people would do, such as saying things directly to those other people, or worse.

This is in no way intended to de-legitimize the very real issues that the conservative side is grappling with. All I'm trying to say is that this seems pretty different from sour grapes to me. The feeling is different in kind from previous elections in a way that may be difficult to understand ... unless you really sit down for more than few seconds to try to imagine what it might feel like -- on a day-to-day, subtle, pervasive, constant level -- to look around at the uptick in hatred, and feel as though your fellow citizens have despised you all along, and that it's soon going to be institutionalized as law. After being told all your life that that's not what America is about.

As far as I can tell, that's how they're feeling.

And even though I'm a straight white male ... that's how I'm feeling, too.

Wednesday, October 28, 2015

Now with the SSLs

This blog (along with all other blogs) is now available over HTTPS:

The RSS and Atom feeds are also HTTPS-aware:

Please update your bookmarks and feeds accordingly.

Geek note: you can see the Qualys SSL Labs Server Test results for this new setup. (Not perfect, but it's progress!)

Note: HTTPS is not yet available when wrapping a blog within your own domain (such as

Tuesday, October 27, 2015

Hash filtering - an appeal to more than vanity

tl;dr: The major password-cracking projects should add support for general hash substring search (vanity hashes, partial collisions, etc.).

What is a vanity hash?

A vanity hash is a hash that contains an interesting substring. For example, my actual Bitcoin address is:


But it would be cooler if it was this:


That's a vanity hash. Finding one requires a brute-force search. The more characters you want, the harder it gets -- exponentially harder. But even just a few characters can be good enough.

Current examples of vanity hashes

We humans are vain creatures -- so when hashes are used as public identifiers, we want to personalize them:

More than vanity

Searching for a vanity hash is really just an attempt to find hashes with certain content. Other efforts seek hashes with specific content for other reasons - hash collisions, partial collisions, etc. More generally, these are searches for hash substrings.

Why hash substring search is interesting

Finding substrings in hashes isn't just about vanity. Bringing hash substring search into the cracking platforms would enable other interesting work:

  • Experimenting with collisions and partial collisions. This is a potential attack surface that is not adequately publicly explored. Nation-states are almost certainly capable of locating near-collisions for some hashes. When you check a download hash, how often is that check only a cursory visual check? True collisions for slow hashes are nigh-infeasible, of course -- but near-collisions may be interesting.
  • Demonstrating weaknesses. For example, short GPG key IDs can have collisions.
  • Filtering for hashes with broad properties (instead of just substrings). Hashes that contain only digits, or only letters, or letters and digits alternating, or only lower case (for hashes that distinguish case). Perhaps only a curiosity today, but they might be interesting in the future.
  • Automatic/loose discovery of similar strings. This would be a nice-to-have at some point, but searching by edit distance would complement substring searching nicely. A minimum or maximum edit distance could be specified to find strings that are "close enough". One of the most common measurements of edit distance is Levenshtein distance, which has been implemented in most languages, and implemented efficiently on GPU.
  • Working with non-contiguous substrings. Most vanity-hashing tools won't let you search for a hash that begins with "[aA][bB][lL][eE]" and ends with "[eE][lL][bB][aA]". But password crackers' mask syntax is perfect for this.
  • Unforeseeable innovation. Once this capability is available across all hash types, people will tinker with it, revealing new use cases. I've seen some CTFs that involve searching for specific substrings in hashes. I think they're on to something.

Calling them "vanity hashes" doesn't do justice to the potential. I think that the activity of hash substring search -- partial collisions, vanity hashes, etc. -- needs a better name.

Let's call it hash filtering.

Why the password crackers are the best place to do hash filtering

  • It's efficient. No one is better positioned to implement hash filtering than the password crackers -- and doing it anywhere else is a waste of resources. Each standalone vanity-search implementation reinvents the hash bruteforcing wheel - usually poorly: This rarely approaches the speeds that JtR and hashcat are capable of (though there are exceptions). The Bitcoin folks have an edge today because of FPGAs, but I expect this gap to close.
  • It's high leverage. If implemented as a general framework within password crackers, all current and future hash types automatically inherit substring search capability, with little additional effort.

How the password crackers might respond

  • Sound great! That would be awesome, but not likely to be the first reaction. So ...
  • OK -- but it should be done as a separate executable. This is a waste of time. The best features of professional-grade password crackers -- core brute-force power, Markov, forking/parallelism, session management, masks, device selection, wordlist management, etc. -- would either be unnecessarily duplicated, left out, or suffer from bit rot.
  • No. It will slow down cracking too much. Not necessarily. Hash filtering should be implemented as an early pre-optimization step, so that you only have to take the inevitable speed hit if you want hash filtering. Regular cracking would be unaffected.
  • No. We're not interested in vanity hashing as a concept. That would be a mistake. Vanity hashing is already driving interest, contribution -- and even innovation (like entirely new S-boxes).
  • No. It might attract noobs. Unavoidable -- but this should be offset by an influx of insight and talent. Also, we have to feed a certain number of noobs to Xanadrel, the Sarlacc of #hashcat. ;)
  • No. It adds complexity. Technically true, but it should be a largely one-time cost. Also, I think that implementing Levenshtein distance on GPU would be kinda fun if I was atom or Sayantan. ;)
  • No. Hash filtering itself will be too slow. By its nature, it will, indeed, be much slower than password cracking. But if it can be pre-optimized (see previous point), then it can take advantage of the rest of the cracking support structure, so that hash filtering will be faster, more portable, and easier to use than it would be anywhere else.

Implementation suggestions

  • Allow the user to specify a "hash filter", using existing mask syntax. This would automatically enable specifying one or more desired substrings anywhere in the hash -- beginning, end, or middle -- as well as both non-contiguous strings and loose matching by character set.
  • On the command line, consider long options with names like --hash-filter [mask] and --edit-distance [integer]. Or name it something else -- but keep it consistent across projects.
  • Implement in the pre-optimization pass, so that the slowdown introduced by examining each hash will only kick in when hash filtering is explicitly requested.
  • Add simple sanity checking. If the user supplies a mask that is longer than the target hash, warn rather than silently truncating. Also, warn if the user wants to filter for a mask that isn't possible (for example, if their descrypt filter's last character is not within [.26AEIMQUYcgkosw]).

Potential bounty?

If this proposal is not obviously compelling, I will consider setting up a bounty (or charitable donation of the winner's choosing). The bounty would go to each major natively Linux-based project (John the Ripper or hashcat) that incorporates hash filtering. Edit distance would be optional.

If you want to go in on a bounty, contact me and I'll do the Bountysource setup.

The ask

Bring vanity hashing and its kin into the fold -- generalize it into hash filtering that can be applied to all current and future hashes. I think that the results will bear interesting fruit.

Updated: to use a valid example Bitcoin vanity.

Tuesday, October 20, 2015

Cyber and information security certification frequency in job descriptions - 2015-10 edition

A rough study of Indeed acronym frequency when coupled with the word "security":

CISSP  12859 ISC main
ITIL  7233 see also ITILv3 below (+162)
CISA  5374 ISACA auditor
CISM  3927 ISACA manager
CompTIA 2857 a+, security+, network+, etc
GIAC  2368 (any)
CEH  2329 EC-Council
GSE  1501 GIAC expert/advanced
SSCP  1328 ISC – CISSP “lite”
GCIH  1279 GIAC incident handling
CRISC  804 ISACA risk
“CCNA Security” 660 Cisco
GPEN  554 GIAC pentester
OSCP  475 Offensive Security
GSLC  332 GIAC's CISSP analog
GWAPT  253 GIAC web pentest
“CCNP Security” 235 Cisco
CCSE  228 Checkpoint
GREM  219 GIAC reverse engineering malware
ITILv3  162 See also ITIL above (+7233)
“CCIE Security” 155 Cisco
GCFE  140 GIAC forensic examiner
OSCE  124 Offensive Security – advanced
CSIH  100 Carnegie Mellon
GXPN  73 GIAC exploit dev and advanced pentest
GCWN  66 GIAC Windows security
“Cisco CSS” 29 Cybersecurity Specialist – hard to search for right
WCAN  4 Wireshark

Friday, August 28, 2015

No sense in wasting the heat and air movement

My 6x GTX 970 open-air password-cracking rig.



  • Case: Custom Spotswood
  • - Case cover: Not pictured. Mostly for transport purposes, usually runs with the cover off
  • - Handle: For carrying. Sorta helpful, but a little unwieldy
  • Board: GA-990FXA-UD3 rev 4.0. Leave IOMMU enabled; add "iommu=soft" to grub parameters (otherwise, USB and NIC won't work)
  • - Sound: No onboard sound - mini onboard speaker ($4)
  • CPU: AMD FX-8350
  • Memory: 32G for PRINCE headroom
  • OS: Ubuntu Server 14.04 LTS 64-bit
  • PSUs: 2x Corsair RM1000. No fan movement unless loaded. Room for growth if cards get upgraded
  • - Dual PSU adapter: Vantacor
  • - Power switch: Had to get a power/reset switch/cable - none onboard
  • GPUs: 6x EVGA 04G-P4-2974-KR. Max 165W per card
  • - Risers: Non-USB (ribbon) risers. The four x16 slots have powered x16-to-x16 ribbon risers, which isn't necessary for most GPU-centric cracking. x4 or higher is better for John the Ripper, but x1 is fine for cudaHashcat. The two x1 slots have unpowered x1-to-x16 ribbon risers. The USB-based risers would *not* work with this board. The symptom was that only a couple of the cards would work at a time.
  • - GPU fans: locked at 50%. Temperatures do not break 78 at normal house temps, and do not break 72 in cooler rooms

Power consumption:

  • Idle: 105W
  • Idle, with GPU fans forced to 50%: 120W
  • Full CPU load (all 8 cores, OEM CPU fan at 3600 RPM): 265W
  • No CPU, oclhashcat job loaded but paused: 310W
  • Full GPU-only oclhashcat job in progress, minimal CPU: 1050W
  • Full processing load (CPU and GPU): TBD

UPDATES - Performance:

Friday, June 19, 2015

The E-mail Productivity Curve

Brilliant. Captures exactly why we hate email -- and why we love it.

Via: The E-Mail Productivity Curve - Cal Newport

Friday, February 06, 2015

The origins of the Olaf card

Late one night, I was telling my friend Sam that I had recently run into a panhandler who was deaf, and who communicated via a stock message on a business-sized card. Having someone wordlessly hand you a card was a strangely powerful experience. Sam and I immediately started thinking of alternate messages that could be conveyed with this new medium. Somehow, we latched on to the idea of a total stranger using it to ask people to tickle them. And it would be even funnier if English wasn't their first language. This quickly evolved into a large, friendly Norwegian man, asking to be tickled:

("Hello, My name is Olaf. I am recently from Norway and do not speak the English good. Please tickle me. Thank you.")  

The idea was to walk up to a total stranger and hand them the card– without saying a single word. The wordlessness is a crucial element. Your initial communication with the person is solely through the card – and your friendly, hopeful facial expression.

We laughed until our sides hurt.

Then, in classic Sam style, he insisted that we go to Kinko's at once – at 1 o'clock in the morning! – to have the cards actually printed. My friend Mike Hanscom was working at that Kinko's, and was delighted to oblige, chuckling the whole time.

The first run was 500 cards. We burned through that one pretty quickly. The second run of 500 went fast, too. The fad faded in the middle of the third batch, but a few stories stand out.

I have almost never handed them to total strangers. Instead, I show them to people whom I already know (or have just met), saying, “Pretend like you don't know me, and I walk up to you without saying anything, and I hand you this card.” Since I look faintly Scandinavian, and I've usually just met them, it's not too much of a stretch – and it was a fun way to break the ice.

But Sam actually took a batch of cards to Costco to perform a sociological experiment. (If you don't know Sam, imagine a 6-foot-5 cross between Kyle MacLachlan and Waldo from “Where's Waldo.” When he walks up to you as a total stranger and hands you an Olaf card, you're going to pay attention. Sam handed cards out to people until the Costco folks asked him to leave. He had enough data to identify three major categories of response:
  • 85% of people would laugh, take the card, and keep walking.
  • 10-12% would immediately turn and go without any response at all – studiously making no eye contact.
  • The remaining 3-5% would look at Sam furtively, look down at the card, look at Sam again … and then reach out very gingerly, tickle him very briefly, and then make a break for it.
Sam's theory was that this last group was afraid of what he would do if they didn't tickle him.

Sam and I knew that we had struck some kind of chord when we took a road trip to UAF and saw one taped to someone's dorm door – someone whom neither of us knew.

The largest distributor was my friend Rod, who moved to Tuscon and started handing them out. He would go out dancing in his vintage green '70s leisure suit, giant afro wig, and big sunglasses ... and hand out Olaf cards. He went through an entire batch himself. For many in Tucson, Rod is “Olaf.”

Rod was also a dinner captain at a very nice steak restaurant in Tucson. One night, Kevin Spacey had been a customer and was on his way to the door when Rod intercepted Spacey briefly and handed him an Olaf card. As Spacey was walking away, out of the corner of Rod's eye, he saw Spacey look down at the card, actually read it, chuckle, and then put it in his pocket. High praise, indeed.

To this day, every once in a while, I'll get a “hey, you're the guy who handed out the Olaf cards!”