My first adventure with Let's Encrypt on nginx, dovecot, and postfix

Let’s Encrypt is old news by now. It launched back in December, so it has been giving away free DV certificates for nearly four months now. Being a TA for a Computer Security course, it’s about time that I actually tried it out.

Prologue

Let’s Encrypt is a free certificate authority. They grant TLS certificates that you can use to secure your webserver. They are Domain Validated (DV) certificates, which means they will verify that you control the domain name you are trying to certify.

[Read More]

Demonstrating the double-DES meet-in-the-middle attack

DES (Data Encryption Standard) is an old-school block cipher which has been around since the 1970s. It only uses a 56-bit key, which is undeniably too short for use in the modern day. Between the realization that DES is weak in the late 90s and the invention of AES in the early 2000's, Triple-DES had a brief time to shine. The reasoning behind its design is not immediately obvious -- Double-DES has a critical vulnerability that employs a little cleverness to reduce the search space by several orders of magnitude.

[Read More]

A fun experiment with Twilio

I first heard about Twilio a long, long time ago. As Google Voice faded out of relevance, it took the lead in the mobile-communication-as-a-service market. However, I had never had the chance (or inclination) to play around with its API until today.

About 12 hours after we landed back in the US from our holiday in Mexico, Lynsey departed once again – this time to the Plant and Animal Genome conference (PAG) in San Diego. She asked me to supply her with pictures of our cats for the duration of her trip. I told her I would send her a cat pic every hour, on the hour.

I didn’t realize what I had gotten myself into until I had already deposited $20 into a new Twilio account and spent 2 hours coding away… Though my goal was just to send some photos of cats, I had developed a pretty general application that lets you build a queue of MMSes to be disseminated at a constant rate.

[Read More]

No, fingerprints are not secure

Authentication is the process by which a system determines whether a particular user is allowed to access it. There are three widely agreed-upon methods to authenticate a user:

  • Something you have.
  • Something you know.
  • Something you are.

When you use your key to unlock your front door, you are authenticating yourself using something you have. In information security, passwords are the most popular method of authentication; they are something you know. Authentication by something you are (i.e., biometrics) has historically been only a niche practice, but in recent years it has caught on in the realm of consumer electronics.

When Apple announced Touch ID in late 2013, security experts immediately voiced their concern. The authentication mechanism was quickly compromised, and there is still very little that Apple can do about it. Why, you ask? Because fingerprints are inherently insecure.

[Read More]

Time clocking at the command line

I often feel inclined to start new projects to avoid working on old ones. In a particularly ironic display of procrastination, I have written a productivity-oriented application in order to avoid actual productivity. The app is called InSTiL, and its goal is to make it easy to log how much time you spend working on various projects. The source is available on Github, and the Readme provides a succinct overview of InSTiL’s functionality.

https://github.com/tmick0/instil