Category Archives: Uncategorized

Hashcat quick start!

I recently had to use hashcat to verify some user credentials. Here are the commands I used:

# Salted md5 passwords (all the same salt in salt+password format):
hashcat -o found-passwords.pot -e salt.txt -m 20 -a 0 input-passwords.txt hashkiller.dic

Input file is just hashes from the database, one hash per line. I think you can put a :salt after each hash and omit the -e salt.txt from the command to use unique salts.

Why you shouldn’t trust WhatsApp’s end to end encryption

Recently, the instant messaging app “WhatsApp” announced that it is using end to end encryption. While this is generally seen as a good thing, what most people seem to have forgotten is that we have absolutely no reason to trust WhatsApp.

Just because you’re told WhatsApp is using end to end encryption doesn’t really mean anything.. what algorithms are they using, how can we verify this. Most importantly, if the NSA (or someone else, perhaps with lots of money) asks WhatsApp to disable end to end encryption for a specific user – what’s to stop them? How would you know your instant messages are no longer encrypted?

What this means (at least to me) is that your supposed end to end ‘bullet proof’ encryption is probably worse than nothing – it’s lulling you into a false sense of security.

You can’t trust closed source encryption. Ever. Don’t start now.

2015 – The year of virtual reality

For some time now I have been keeping myself abreast of the Oculus Rift project – a brand new virtual reality kit which is due for release this year.

Normally I wouldn’t be interested in things like this but I believe this new VR headset will change the face of not only gaming but many aspects of our lives, and not always for the better.

Back in the 90’s I had a go with a VR headset in London and it really put me off the idea. The terrible low resolution, the neck ache, the lag… It was really crap. From that point on virtual reality got forgotten about for another twenty years or so while the technology caught up with the concept.

Oculus aims, and supposedly delivers an experience which can effectively trick (part of) your brain into feeling the experience is very real. In a nutshell, virtual reality is here and this time it’s not going away.

So many people see this as just another gaming platform. That’s cool, but I believe it will be used for many other applications such as virtual meetings, and even eventually working.. Imagine working on a desk on a beach with palm trees?

It’s not all good news though. In this internet based age people spend less and less time going outside and talking to each other. VR could well be the ultimate end to people leaving their homes.. Maybe not for our generation, but I think the next generation will really struggle with this.. Games like World of Warcraft have already made lots of young people reclusive gaming addicts, but with this level of reality it could do some very serious damage if not used in moderation.

Either way, 2015 marks the beginning of the virtual reality age. Personally I think this is going to be as big, if not bigger than the internet in terms of its impact on society. This won’t happen this year, but in the next 5 or 10 years things will be very different in the western world.

Update

Just a quick update.. I assure you this site is still active 🙂 I’m currently extremely busy but I have lots of cool things coming up.. arduino based notification system with REST service, technical project management ideas, gitflow, and mindful programming technique.. nice.

Converting characters

I’ve often had issues with character sets getting muddled up.. generally from my clients pasting ISO-8859-1 special chars into my sites that are UTF-8. Today I discovered the super-handy iconv() function that’ll convert character sets.. in this case I needed to drop down to ascii for generating pdfs with dompdf:

$output = iconv('UTF-8', 'ASCII//TRANSLIT', $string);

Pretty handy!

Locking down an sftp user on Debian

This always ends up being a bit tricky, and some guides I’ve found on the net differ slightly from what I’ve got here. This seems to work pretty well for me on Debian.

Enter the following into /etc/sshd/config to allow sftp and to lock a user into a specific chroot’ed directory:

Subsystem sftp /usr/lib/openssh/sftp-server

For each user you want to lock down, you’ll first need to add the user, set the shell to false so they can’t log in via ssh and then set their home directory to where you want them chroot’ed:

useradd jorbloggs
usermod -s /bin/false joebloggs 
usermod -d /srv/www/somehome/ joebloggs

Now just add a few details for the user to /etc/sshd/config:

Match User joebloggs
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
ChrootDirectory %h

Important!

The users home directory must be owned by root and only writable by root – bit weird, but you get odd auth messages and it doesn’t work otherwise. There’s probably a work-around for this, but for me it doesn’t really matter. If or when I do need a work around I’ll post it here. Feel free to leave comments with tips/suggestions!