Rant on TLS PKI

I like modern cryptography. I quite understand some bits of it, since I had an excellent university course on that, and while the rest feels pretty magic, these are my thoughts that should be understood by anyone. My general opinion is that encryption is a mistake in most cases, but digital signatures make true sense to me, and I will focus on them. If someone gives you much data, they know more than you. This is true especially for big integer numbers. Remember RSA? This is the (still widely used) encryption algorithm that assumes that while it is trivial to know n = pq when you know two primes p and q, it is really unlikely and/or computationally expensive to guess p and q from n. ...

July 21, 2022 路 5 min 路 Arusekk

Die, IPv4, just die already!!!1!

IPv4 has been invented in the eighties. IPv6 has quickly followed in the nineties, exactly after fourteen years of IPv4 practical application. It鈥檚 been nearly 30 years since then, and we鈥檙e still stuck with IPv4. Stuck? The main problem with IPv4 is its 32-bit addressing. It limits the Internet to 4 billion true participants (in practice even less, because of reserved address ranges, broadcast addresses, masks, and so on): less than half the world population! All its shortcomings come from this single problem. ...

January 10, 2022 路 6 min 路 Arusekk

Lovely nonces (ASIS CTF Quals 2021) - the unintended way

Lovely nonces (ASIS CTF Quals 2021): the unintended way Originally published in justCatTheFish repo. The quasi-crypto part by Arusekk The first thing I noticed in this task was unsafe random nonce generation. Unpredictable random values in Node.js should be generated using crypto.random*() and not Math.random(), which is designed to be fast, not safe. So while the others were working on an XSS payload that would work, I searched v8 (the JavaScript engine used by Node.js) sources for the implementation behind Math.random(). It turned out to be xorshift128, which is a wonderful algorithm, passing strict randomness tests, while still being very fast. But since it only uses bitwise xor and shift operations, it is trivial to predict. ...

October 25, 2021 路 4 min 路 Arusekk & haqpl

My domain is my castle

So here it is! arusekk.pl is finally mine. Buying a domain is straightforward. All I did was find the registry of my favorite TLD (which is .pl for Poland), registry maintained by NASK, reachable at dns.pl. There at the list of registrars I narrowed down the list to those supporting IPv6 domain delegation (I had yet to know what it means, but I thought that it would be better to have it), DNSSEC (which I knew was something important), and that the registrar must be a Polish entity. ...

March 23, 2021 路 7 min 路 Arusekk

Average day of a FLOSS developer

I woke up, ate my breakfast, did some workout with StepMania (a DDR clone, great game, BTW, you should definitely try it, if you like to move), practiced playing music a little on a MIDI keyboard (using QSynth with JACK (managed by Catia) for low latency response). I heard that Wine supports GTK3 themes, so I wanted to check it out, but there was none for the latest version, and that lead me to filing a bug. ...

February 18, 2021 路 3 min 路 Arusekk