Computer security, software development, general news.
posted by Dan Weber at 8:23 PM
0 comments
posted by Dan Weber at 6:17 PM
0 comments
Oh, 404 not found. Well, programming websites can be hard.
Let me see if my device is under warranty. Let's go to the warranty page.
Oh, they don't recognize their serial number. (For about a year, Microsoft had a "temporary problem" recognizing the serial number printed on the mouse. Maybe until the warranty ran out.)
Hey, let me try having their ActiveX control identify the device.
Oh, Internet Explorer blocked the ActiveX control because it's unsafe. No option to allow it to run, either.
When a Microsoft Wireless Notebook Optical Mouse 3000 acts funny in Windows:
posted by Dan Weber at 10:20 AM
1 comments
I'm not an expert, but here's a quick primer: you can send coins in your wallet to a valid address, and this transaction is validated by a peer-to-peer network. Addresses can be created at will. Coins are validated via their history, so you can see the addresses of previous transactions involving those coins. For example, I just made up the address 15NhuaukwoUoHWRJijfdrb4iiz6D61mCds; you can see the history of that address here, which is blank right now. (If you give me bitcoins at that address, there is a "receipt" right there. See, bitcoins makes begging on-line seem cool again, just like it was ten years ago.)
Bitcoin's online use also makes a brand-new target for thieves. Instead of breaking into your computer to try and sniff your passwords or selling you off to a zombie net, hackers could directly steal value stored there.
This also applies to websites that handle bitcoins. There is no central body so there is no such thing as PCI Compliance. But websites that allow bitcoins to be transferred to other addresses need to take security very seriously, as if they were handling credit card information or actual cash like a bank.
(Websites that receive payments via Bitcoin do not need to worry as much, but they still should use best practices.)
One example is Mt Gox, a site that facilitates the exchange of different currencies, including US Dollars and Bitcoins. EvilPacket demonstrated a XSS and CSRF attack against the site, which has since been fixed.
One of the more popular source of coins these days are "mining pools," in which lots of people work together to help the peer-to-peer network validate transactions, and are occasionally rewarded with new bitcoins. All these sites have web interfaces. I gave a peek to see if they were vulnerable to some simple attacks.
BTCMine, slush's pool, and MtRed were all safe. (MtRed claims to have fixed a CSRF problem, but if so then it was definitely before I looked, and it seems like it was built right into their framework automatically.)
I incorrectly thought that DeepBit was vulnerable, but the admin pointed out that he already had defenses in place, and when I checked my notes, it turns out he was right all along. Good show there (plus they require email confirmation for changing their destination address).
Bitcoin Pool was vulnerable when I checked. I could change my receiving address blindly, which means it was ripe for a CSRF attack. I dropped an admin a private message in their forum, and didn't get a response. But they seem to have taken action anyway. If you go to http://www.bitcoinpool.com/account.php now, it fails unless you are using a referrer from their own domain.
As website developers, you need to build secure sites. That's a whole different article.
As a network... well, that's interesting. If one were to perform a widespread theft like this, actions could still be taken against the thieves.
Although you may hear people describe bitcoins as anonymous, the better word is pseudonymous. You can make arbitrary account numbers and receive payment at them, but their use can still be tracked. A theft of a sufficient number of coins would attract the attention of the FBI or similar organization.
At some point, just like with US Dollars, the holders of stolen Bitcoins will want to redeem them for goods or services. Even if they bounce the stolen Bitcoins through thousands of addresses, those can be tracked, since the entire nature of the network is that it is transparent. Eventually a vendor of something physical will acquire some of these coins and be able to provide authorities with some kind of address for the crooks.
Fencing stolen coins is still possible, but actually harder than it would be with, say, a briefcase full of greenbacks.
posted by Dan Weber at 7:32 PM
0 comments
You can read through his post, but he figures that there are so many easy words that guessing some rare letters near the beginning won't cost you that much.
I took that as a challenge and investigated on my own. In turns out to be pretty hard, even if you get 13 wrong guesses to die, to find all possible words.
Instead of his 90,000 word dictionary, I was using the 230,000 word dictionary in /usr/share/dict/words on OpenBSD. To get a good look at the sub-problem, I restricted myself to the 825 words that could be "_ A _ _". I've included those 825 words in the first comment of this post (since I don't know how to get Blogspot to do attachments and am too tired to try it after working on this for a few hours in evening).
The general strategy is to guess the letters that are most likely to appear. Wrong guesses bring you closer to your doom, right guesses give you a lot of information.
If you could perfectly bisect the remaining words with each guess it would only take 10 guesses, but we can't eliminate that many words at each time.
You could go through the letters in their normal order in the English language, but that gets you to J or Z only after about 20 guesses.
Okay, so let's review. We have "_ A _ _". I'm pretending that we got lucky and guessed "A" first, so we have 25 possible letters left to guess, and 13 wrong answers kill us. There are 825 words and here are how many of those words contain each letter:
1. r 172 2. e 172 3. n 170 4. t 163 5. l 148 6. s 136 7. i 131 8. m 117 9. k 116 10. d 107 11. p 102 12. h 101 13. g 91 14. c 89 15. w 88 16. b 88 17. y 84 18. u 82 19. f 61 20. o 54 21. v 41 22. j 29 23. z 28 24. x 9 (q does not appear at all)Guessing those in order won't work either, as you can see. But we don't need to guess in that order.
The most straightforward way, and the one used at the Wolfram post if I understood it correctly, is to iteratively find the most common letter in the remaining words and guess that one. I think they called this A* back when I was in school. Or was that a greedy algorithm? I can't remember.
Anyway, if you do that, you get this
| Guess Number | Letter | Remaining Words |
|---|---|---|
| 0 | (A) | 825 |
| 1 | R | 653 |
| 2 | N | 506 |
| 3 | L | 383 |
| 4 | E | 284 |
| 5 | S | 208 |
| 6 | T | 155 |
| 7 | K | 114 |
| 8 | M | 80 |
| 9 | Y | 55 |
| 10 | U | 38 |
| 11 | I | 26 |
| 12 | O | 16 |
| 13 | F | 8 |
However, this isn't necessarily the best order in which to guess letters. There are 24! different orders in which you could guess the letters that aren't A or Q. That would take 1.5*1021 tries to figure out.
Well, what only matters is the first 13 that we guess, and 24C13 is about 2.5 million. That's still a lot, and it may not generalize for other words.
We can do something like minmax algorithm, where we assume that we get the worst possible result from our best possible guesses, looking forward several steps. Looking forward 2, 3, or even 6 steps the very start leaves us off no better. In retrospect this isn't that surprising, since we still have letters pretty well distributed.
However, if we take the 400 best combinations from that 6th step (with word sets ranging in size from 155 to 204) and look forward 5 steps from there, we get some better results. What I called A* above only had us down to 26 word choices, but the best discovery here is down to 24 words. (We guessed D, E, K, L, M, N, P, R, S, T and Y.)
If we take the 32 best solutions we had there (ranging in size from 24 words up to 30 words), and look forward 2 steps, we can get down to 6 possible words. With the additional letters B and F, those words are {gazi hagi jacu jazz waco zach}.
So I can't always win. I didn't test every single combination, but I'm pretty sure that I got close. If I were to spend more than an evening on this, I would try starting with the common results around position 4 or 5 and building trees from there.
I also think that I might be more successful with Mathematica's smaller word list of 90,000 entries. I can't find a good place to download that or a similar corpus (this gets me close, but it looks like a hell of a lot of work to pull out that data). When I find a dictionary of that size I'll try again.
posted by Dan Weber at 9:08 PM
4 comments
Yes, the tag on those pajamas says "DC Super Friends."
Yes, those are Iron Man and Spider-Man you see.
I suspect most parents won't notice stuff like this. It's like some weird bootleg clothes.
posted by Dan Weber at 6:25 PM
2 comments
I wonder if that would last forever. Chase's offer department must not have read many Encyclopedia Brown books.
posted by Dan Weber at 5:34 PM
0 comments
Yes, Chase. Thank you.
Basic grammar is no longer a useful test to differentiate spam from non-spam.
posted by Dan Weber at 9:45 AM
3 comments
