Skip to content

SHA-1 versus SHA-2 performance tests

Moving to SHA256 has become an increasingly common topic ever since SHA-1 went through the bad news cycle of being vulnerable faster than brute-force. Even in cases where not relevant, such as authentication mechanisms (SCRAM), it feels like only a short time from now regulators will push a SHA-2 family as minimum requirement. For most people that means moving to a 256 bit key length (SHA256) sooner rather than later.

Will SHA256 cause a performance issue when replacing SCRAM-SHA-1? It’s hard to say, given that many variables are involved in testing, yet generally we expect a 50% performance change with 256 bit key length of SHA-2 compared with 160 bit key length of SHA-1.

Assuming proper construction a larger bit size means more possible combinations, which means strength through slowing down brute force attempts. A cryptographic hashing algorithm is only as great as its ability to make truly unique, non-guessable, hashes. So here’s a way for you to compare speeds:

ubuntu17:~$ openssl speed -multi 2 -decrypt sha1 sha256

The 'numbers' are in 1000s of bytes per second processed
sha1            176979.32k   479049.54k  1017926.06k  1451719.34k  1652667.73k
sha256          144534.98k   302692.57k   576607.91k   697034.07k   740136.28k

Posted in Security.

Are Self-Organizing Maps Just an Exercise in Relativism?

The key to unlocking the power of a self-organizing map seems to be in this phrase by Diego Vicente:

…instead of a grid we declare a circular array of neurons, each node will only be conscious of the neurons in front of and behind it…

He offers the example of Uruguay

traversing 734 Uruguay cities only 7.5% longer than the optimal in less than 25 seconds

In other words, dispense with attempts to measure on an absolutist grid and instead calculate your position relative to others in your immediate vicinity. Diego refers to immediate vicinity as “moderate exploitation of the local minima of each part” of the grid. Makes perfect sense. Ask a local which way to the closest next town, if you can find a trusted local, and don’t ask them for a way to towns they never see.

The more I research flaws in AI security the more the world bifurcates into these relative vs absolute models of authentication and authorization. In between there are many exploits to be found.

The problem set here is called the National Travelling Salesman by mathematicians. Of course in security terms we should think of this as drone routes to destroy privacy (gather knowledge, if you prefer that angle) or an estimation of resources for a comprehensive integrity attack plan (defense, if you prefer that angle).

Posted in History, Security.

2018 AppSec California: “Unpoisoned Fruit: Seeding Trust into a Growing World of Algorithmic Warfare”

My latest presentation on securing big data was at the 2018 AppSec California conference:

When: Wednesday, January 31, 3:00pm – 3:50pm
Where: Santa Monica
Event Link: Unpoisoned Fruit: Seeding Trust into a Growing World of Algorithmic Warfare

Artificial Intelligence, or even just Machine Learning for those who prefer organic, is influencing nearly all aspects of modern digital life. Whether it be financial, health, education, energy, transit…emphasis on performance gains and cost reduction has driven the delegation of human tasks to non-human agents. Yet who in infosec today can prove agents worthy of trust? Unbridled technology advances, as we have repeatedly learned in history, bring very serious risks of accelerated and expanded humanitarian disasters. The infosec industry has been slow to address social inequalities and conflict that escalates on the technical platforms under their watch; we must stop those who would ply vulnerabilities in big data systems, those who strive for quick political (arguably non-humanitarian) power wins. It is in this context that algorithm security increasingly becomes synonymous with security professionals working to avert, or as necessary helping win, kinetic conflicts instigated by digital exploits. This presentation therefore takes the audience through technical details of defensive concepts in algorithmic warfare based on an illuminating history of international relations. It aims to show how and why to seed security now into big data technology rather than wait to unpoison its fruit.

Copy of presentation slides: UnpoisonedFruit_Export.pdf

Posted in Energy, Food, History, Sailing, Security.

Locally Decode Windows Administrator Password for AWS Instance

If you’ve run into that awkward moment in AWS when they ask you to submit your key into some suspicious-looking web interface in order to receive the password for your newly created instance, this quick command is for you.

After an instance is created and running, right-click on the instance and select “Instance Settings” then “Get System Log”:

As you just booted your instance for the first time, the administrator password will be printed to the log:

Copy the text between the password markup to your buffer and then paste it into this command along with the local directory of your pemfile:

echo "copied-password" | base64 -d | openssl rsautl -decrypt -inkey "directory/pemfilename" -out administrator.password

Then open the administrator.password file and you’ll see the password for your administrator account

Posted in Security.

Did a Spitfire Really Tip the Wing of V1?

Facebook has built a reputation for being notoriously insecure, taking payments from attackers with little to no concern for the safety of its users; but a pattern of neglect for information security is not exactly the issue when a finance guy in Sydney, Australia gives a shout-out to a Facebook user for what he calls an “amazing shot” in history:

As anyone hopefully can see, this is a fake image. Here are some immediate clues:

  1. Clarity. What photographic device in this timeframe would have such an aperture let alone resolution?
  2. Realism. The rocket exhaust, markings, ground detail…all too “clean” to be real. That exhaust in particular is an eyesore
  3. Positioning. Spitfire velocity and turbulence relative to V1 is questionable, so this overlapped steady formation is unlikely
  4. Vantage point. Given positioning issue, photographer close position aft of Spitfire even less likely

That’s only a quick list to make a solid point this is a fabrication anyone should be able to discount at first glance. In short, when I see someone say they found an amazing story or image on Facebook there’s a very high chance it’s toxic content meant to deceive and harm, much in the same way tabloid stands in grocery stores used to operate. Entertainment and attacks should be treated as such, not as realism or useful reporting.

Now let’s dig a little deeper.

In 2013 an “IAF Veteran” posted a shot of a Spitfire tipping a V1, which passes many of the obvious tests above although it inserts some other nonsense about dangers of firing bullets and blowing up the V1 in air versus sending it unpredictably to ground:

Years then pass by until just a few weeks ago a “Military aviation art” account posts a computer rendered image with the comment “Part of a new work depicting the first tipping of a V-1 flying bomb with a wing tip. Who achieved this?”. Shame this artist wasn’t given credit by the Sydney finance guy, as it would have made far more sense, but there’s also some irony to the artist’s tweets.

The artist answers their own question in the next tweet. On the bright side this points us to real history. On the dark side they also sadly omit a link to original source or reference, let alone the (attempted) realism found in that “IAF veteran” tweet. The artist simply says it is based on a real event, with a photo of a pilot who achieved it. The details of this story not only are worth telling, they put this artist’s work in a proper context:

Fortunately “V1 Flying Bomb Aces by Andrew Thomas” is also online and tells us through first-person accounts of a squadron diary what really happened. While normally a V1 would be shot down, in this case after a Spitfire pilot found himself firing until out of ammo he became frustrated and instead managed to tip a wing of the V1:

Does finance guy in Sydney feel accountable for claiming a real event from a false photograph? Of course not, because he has been responding to people that it’s still a fine representation of a likely event so he doesn’t measure any harm to justify a correction. Was he wrong to misrepresent and should he delete the tweet and replace with a corrected one? Yes, but the real question becomes why he won’t, despite being repeatedly made aware of his error.

Posted in History, Sailing, Security.

The Chaos

by Dr. Gerard Nolst Trenité
(Netherlands, 1870-1946)

Dearest creature in creation,
Study English pronunciation.
I will teach you in my verse
Sounds like corpse, corps, horse, and worse.
I will keep you, Suzy, busy,
Make your head with heat grow dizzy.
Tear in eye, your dress will tear.
So shall I! Oh hear my prayer.
Pray, console your loving poet,
Make my coat look new, dear, sew it!

Just compare heart, beard, and heard,
Dies and diet, lord and word,
Sword and sward, retain and Britain.
(Mind the latter, how it’s written.)
Now I surely will not plague you
With such words as plaque and ague.
But be careful how you speak:
Say break and steak, but bleak and streak;
Cloven, oven, how and low,
Script, receipt, show, poem, and toe.

Hear me say, devoid of trickery,
Daughter, laughter, and Terpsichore,
Typhoid, measles, topsails, aisles,
Exiles, similes, and reviles;
Scholar, vicar, and cigar,
Solar, mica, war and far;
One, anemone, Balmoral,
Kitchen, lichen, laundry, laurel;
Gertrude, German, wind and mind,
Scene, Melpomene, mankind.

Billet does not rhyme with ballet,
Bouquet, wallet, mallet, chalet.
Blood and flood are not like food,
Nor is mould like should and would.
Viscous, viscount, load and broad,
Toward, to forward, to reward.
And your pronunciation’s OK
When you correctly say croquet,
Rounded, wounded, grieve and sieve,
Friend and fiend, alive and live.

Ivy, privy, famous; clamour
And enamour rhyme with hammer.
River, rival, tomb, bomb, comb,
Doll and roll and some and home.
Stranger does not rhyme with anger,
Neither does devour with clangour.
Souls but foul, haunt but aunt,
Font, front, wont, want, grand, and grant,
Shoes, goes, does. Now first say finger,
And then singer, ginger, linger,
Real, zeal, mauve, gauze, gouge and gauge,
Marriage, foliage, mirage, and age.

Query does not rhyme with very,
Nor does fury sound like bury.
Dost, lost, post and doth, cloth, loth.
Job, nob, bosom, transom, oath.
Though the differences seem little,
We say actual but victual.
Refer does not rhyme with deafer.
Foeffer does, and zephyr, heifer.
Mint, pint, senate and sedate;
Dull, bull, and George ate late.
Scenic, Arabic, Pacific,
Science, conscience, scientific.

Liberty, library, heave and heaven,
Rachel, ache, moustache, eleven.
We say hallowed, but allowed,
People, leopard, towed, but vowed.
Mark the differences, moreover,
Between mover, cover, clover;
Leeches, breeches, wise, precise,
Chalice, but police and lice;
Camel, constable, unstable,
Principle, disciple, label.

Petal, panel, and canal,
Wait, surprise, plait, promise, pal.
Worm and storm, chaise, chaos, chair,
Senator, spectator, mayor.
Tour, but our and succour, four.
Gas, alas, and Arkansas.
Sea, idea, Korea, area,
Psalm, Maria, but malaria.
Youth, south, southern, cleanse and clean.
Doctrine, turpentine, marine.

Compare alien with Italian,
Dandelion and battalion.
Sally with ally, yea, ye,
Eye, I, ay, aye, whey, and key.
Say aver, but ever, fever,
Neither, leisure, skein, deceiver.
Heron, granary, canary.
Crevice and device and aerie.

Face, but preface, not efface.
Phlegm, phlegmatic, ass, glass, bass.
Large, but target, gin, give, verging,
Ought, out, joust and scour, scourging.
Ear, but earn and wear and tear
Do not rhyme with here but ere.
Seven is right, but so is even,
Hyphen, roughen, nephew Stephen,
Monkey, donkey, Turk and jerk,
Ask, grasp, wasp, and cork and work.

Pronunciation — think of Psyche!
Is a paling stout and spikey?
Won’t it make you lose your wits,
Writing groats and saying grits?
It’s a dark abyss or tunnel:
Strewn with stones, stowed, solace, gunwale,
Islington and Isle of Wight,
Housewife, verdict and indict.

Finally, which rhymes with enough —
Though, through, plough, or dough, or cough?
Hiccough has the sound of cup.
My advice is to give up!!!

Originally transcribed by Pete Zakel .

Posted in Poetry.

2017 BSidesLV: Hidden Hot Battle Lessons of Cold War

My presentation on machine learning security opened the Ground Truth track at the 2017 BSidesLV conference:

When: Tuesday, July 25, 11:00 – 11:30
Where: Tuscany, Las Vegas
Cost: Free (as always!)
Event Link: Hidden Hot Battle Lessons of Cold War: All Learning Models Have Flaws, Some Have Casualties

In a pursuit of realistic expectations for learning models can we better prepare for adversarial environments by examining failures in the field?

All models have flaws, given any usual menu of problems with learning; it is the rapidly increasing risk of a catastrophic-level failure that is making data /robustness/ a far more immediate concern.

This talk pulls forward surprising and obscured learning errors during the Cold War to give context to modern machine learning successes and how things quickly may fall apart in evolving domains with cyber conflict.

Copy of Presentation Slides: 2017BSidesLV.daviottenheimer.pdf (4 MB)

Full Presentation Video:

Prior BSides Presentations

Posted in History, Security.

This Day in History — 1886 Haymarket Affair

On this day in 1886 a Civil War veteran from Texas, Albert Richard Parsons, was accused along with several others of a conspiracy to murder in Chicago, Illinois.

Albert volunteered as a 13 year old to serve in the Civil War under units in Texas led by his brothers. First he was infantry for his Confederate captain brother, next a cannoneer and finally cavalry for the Confederate colonel William Henry Parsons.

After the American “slave-holders’ rebellion” was defeated, Albert studied in college and became a member of the “Radical Republicans” working in Central Texas on suffrage for Freedmen; he helped register blacks to vote despite threats of violence and exploitation by white supremacists. After marrying Lucy Parsons he traveled through the Midwest and settled in Chicago in 1873. In his “auto-biography” published by his wife he wrote…

I incurred thereby the hate and contumely of many of my former army comrades, neighbors, and the Ku Klux Klan. My political career was full of excitement and danger. I took the stump to vindicate my convictions.

In April 1886 Chicago saw dozens of protests where people were calling for an eight-hour workday. Similar to his suffrage work to help the Freedmen, Albert spoke and wrote about industrial labor conditions as a cause of voter disenfranchisement.

On the 1st of May tens of thousands walked off their job for better working conditions. After more protests on May 3rd the police responded to a large group by shooting wildly at protesters they called violent, killing at least one and injuring many others.

The following day on May 4th Albert spoke at a meeting in Haymarket Square and left. Although Mayor Harrison had instructed the police to stay away by the end of the day hundreds of armed officers marched in and demanded protesters disperse. A bomb exploded and police again opened fire wildly into crowds. Many were killed (seven police, a few protesters) and injured (sixty police, unknown protesters).

Prominent speakers and writers such as Albert then were charged with murder because protests could be violent, despite not being there. After an unfair trial most of the accused were sentenced to death. One died violently in prison, judged a suicide. Then Albert and three others were hanged in 1887. He stood on the gallows and asked “Will I be allowed to speak, O men of America? Let me speak…” as the Sheriff opened trap doors to kill him.

Two other men had asked and received commuted sentences. Six years later, in 1893, the Illinois’ Governor Altgeld known for his “patriotic love of liberty” pardoned those convicted in the Haymarket Affair and called the unfair trial methods used a “menace to the Republic“.

Altgeld feared that when the law was bent to deprive immigrants of their civil liberties, it would later be bent to deprive native sons and daughters of theirs as well.

The City of Chicago Haymarket Memorial describes these events as “A Tragedy of International Significance“:

…those who organized and spoke at the meeting—and others who held unpopular political viewpoints—were arrested, unfairly tried and, in some cases, sentenced to death even though none could be tied to the bombing itself.

Police targeted and killed the leaders of a group who advocated for better quality of life and voting rights in poor and immigrant homes. Although Albert had survived having unpopular views in Texas opposing the Klu Klux Klan after the Civil War, in Chicago he couldn’t escape being falsely accused of violence and sentenced to death for becoming popular.

Posted in History, Security.

Where does the expression 101 come from?

Book_Mission101Lately I’ve been reading about Mission 101, where just a few thousand men in an Allied expeditionary force were sent into Ethiopia to defeat a far greater Italian occupation force 100 times their size. It’s mentioned in books like “Fire in the night : Wingate of Burma, Ethiopia, and Zion,” or the more obvious title of…wait for it… “Mission 101”.

In late 1940 a group of five young Australian soldiers set out on a secret mission. Leading a small force of Ethiopian freedom fighters on an epic trek across the harsh African bush from the Sudan, the small incursion force entered Italian-occupied Ethiopia and began waging a guerilla war against the 250,000-strong Italian army. One of these men, Ken Burke, was Duncan McNab’s uncle.

The mission wasn’t actually about five Aussies, and I’ll get to that in a minute. The name seemed strange to me, in modern context, because we use 101 to imply some kind of basic level. Someone saying “Mission 101” today sounds almost exactly opposite to the task of taking a few soldiers into unknown territory against massive odds. That sounds really hard, right?

Top-ranked answer on a search engine is a Slate post called “101 101” that tells us the expression since the 1930s has meant a starter course for beginning students:

Many freshmen will kick off their college careers with courses like Psychology 101, English 101, or History 101. When did introductory classes get their special number? In the late 1920s. The Oxford English Dictionary finds the first use of “101” as an introductory course number in a 1929 University of Buffalo course catalog. Colleges and universities began to switch to a three-digit course-numbering system around this time.

This is a wholly unsatisfying answer. It takes for granted that in transition to a three number system someone would only use 101, and not 100, 010, 001, 000 or any other possible combinations.

Why 101?

I needed more. And the search engines were doing little to help, not least of all because searching for anything + “101” gives you an introduction to that topic and not the expression.

Instead I dug into the details mentioned in Fire in the Night. It says Mission 101 had a leader named Lt Col Dan Sandford who served as artillery during WWI, and then as British Consul to Abyssinia before retiring there at the end of his term in office.

The key to this story is British artillery in WWI commonly used a fuse numbered 101 on their shells. So why would Sandford name his mission after a fuse on an explosive shell? This is where the story gets interesting.

Britain had used their presence in Sudan to train Ethiopians as guerrilla forces after 1935, due to war with Italy that year. When Italy invaded Sanford was forced to escape back to England. In October 1939, as Britain saw war with Italy fast approaching, Sanford was sent into Khartoum to gather Ethiopian exiles, round up military supplies, and trigger a popular uprising inside Ethiopia to push the Italians out.

There you have it. Using a small fuse to trigger or initiate a much larger explosion makes sense, given the 101 fuse history. Best guess from a war museum file (found at © IWM MUN 2582) is the term simply went from military use to more common public use in 1920s as slang or example of “starting” or “initiating”.


The No 101 percussion fuze was introduced in 1916 and represented an attempt to overcome the No 100 fuze’s weak points. The 101 did away with the ‘cocked pellet’, used a fixed needle, and placed the detonator in the graze pellet. The needle was originally pressed in, but loose needles often caused premature explosions and a screwed-in needle was used after the Mark I. The 101 ran to five ‘Marks’ and was declared obsolete in 1921.

A good example of this public use and general knowledge comes from the Encyclopedia Britannica of 1922, which explained in detail on page 130, that the 101 is an example of the graze fuze for artillery shells. It even uses the phrase “this class”.EB-graze-fuze-101

Posted in History, Security.

“My Lost Youth” by Longfellow

A curious thing about writing a poem is how it can suggest to the reader a topic while subtly communicating a tangent. Recently I was being peppered by questions of attribution in security that reminded me of Henry Wadsworth Longfellow’s poem:

		My Lost Youth

OFTEN I think of the beautiful town	 
  That is seated by the sea;	 
Often in thought go up and down	 
The pleasant streets of that dear old town,	 
  And my youth comes back to me.			5
    And a verse of a Lapland song	 
    Is haunting my memory still:	 
    'A boy's will is the wind's will,	 
And the thoughts of youth are long, long thoughts.'	 
I can see the shadowy lines of its trees,		10
  And catch, in sudden gleams,	 
The sheen of the far-surrounding seas,	 
And islands that were the Hesperides	 
  Of all my boyish dreams.	 
    And the burden of that old song,			15
    It murmurs and whispers still:	 
    'A boy's will is the wind's will,	 
And the thoughts of youth are long, long thoughts.'	 
I remember the black wharves and the slips,	 
  And the sea-tides tossing free;			20
And Spanish sailors with bearded lips,	 
And the beauty and mystery of the ships,	 
  And the magic of the sea.	 
    And the voice of that wayward song	 
    Is singing and saying still:			25
    'A boy's will is the wind's will,	 
And the thoughts of youth are long, long thoughts.'	 
I remember the bulwarks by the shore,	 
  And the fort upon the hill;	 
The sunrise gun with its hollow roar,			30
The drum-beat repeated o'er and o'er,	 
  And the bugle wild and shrill.	 
    And the music of that old song	 
    Throbs in my memory still:	 
    'A boy's will is the wind's will,			35
And the thoughts of youth are long, long thoughts.'	 
I remember the sea-fight far away,	 
  How it thunder'd o'er the tide!	 
And the dead sea-captains, as they lay	 
In their graves o'erlooking the tranquil bay		40
  Where they in battle died.	 
    And the sound of that mournful song	 
    Goes through me with a thrill:	 
    'A boy's will is the wind's will,	 
And the thoughts of youth are long, long thoughts.'	45
I can see the breezy dome of groves,	 
  The shadows of Deering's woods;	 
And the friendships old and the early loves	 
Come back with a Sabbath sound, as of doves	 
  In quiet neighbourhoods.				50
    And the verse of that sweet old song,	 
    It flutters and murmurs still:	 
    'A boy's will is the wind's will,	 
And the thoughts of youth are long, long thoughts.'	 
I remember the gleams and glooms that dart		55
  Across the schoolboy's brain;	 
The song and the silence in the heart,	 
That in part are prophecies, and in part	 
  Are longings wild and vain.	 
    And the voice of that fitful song			60
    Sings on, and is never still:	 
    'A boy's will is the wind's will,	 
And the thoughts of youth are long, long thoughts.'	 
There are things of which I may not speak;	 
  There are dreams that cannot die;			65
There are thoughts that make the strong heart weak,	 
And bring a pallor into the cheek,	 
  And a mist before the eye.	 
    And the words of that fatal song	 
    Come over me like a chill:				70
    'A boy's will is the wind's will,	 
And the thoughts of youth are long, long thoughts.'	 
Strange to me now are the forms I meet	 
  When I visit the dear old town;	 
But the native air is pure and sweet,			75
And the trees that o'ershadow each well-known street,	 
  As they balance up and down,	 
    Are singing the beautiful song,	 
    Are sighing and whispering still:	 
    'A boy's will is the wind's will,			80
And the thoughts of youth are long, long thoughts.'	 
And Deering's woods are fresh and fair,	 
  And with joy that is almost pain	 
My heart goes back to wander there,	 
And among the dreams of the days that were		85
  I find my lost youth again.	 
    And the strange and beautiful song,	 
    The groves are repeating it still:	 
    'A boy's will is the wind's will,	 
And the thoughts of youth are long, long thoughts.'	90

This could happen anywhere, despite being about a specific place. Supposedly in 1855 he set out to describe an idyllic life in Portland, Oregon. And yet what city “beautiful town that is seated by the sea” does not have “pleasant streets” with “shadowy lines of its trees”? Is anyone surprised to hear of an old American shipping town with “black wharves and the slips” below “the fort upon the hill”?

Even more to the point, after a long vague description leaving the reader without any unique Portlandish details, the writer admits “there are things of which I may not speak”. Vague by design?

Ok, then, decoding the poem to suggests a series of fleeting (pun not intended) feelings that defy direct attribution to a particular city. Action words give away bundles of emotion from a young boy excited by a generalized theory of adventure. No real location is meant, which leaves instead the importance of stanza action lines (7th); they seem to unlock a message about generic youthful rotations: haunting, murmurs, singing, throbs, goes, flutters, sings, come, sighing, repeating. “Lost youth” indeed….

Posted in Poetry, Security.