An easy way to visualize git activity

Today, I wrote gitply — a fairly simple Python script for visualizing the weekly activity of each contributor to a git repository.

It started out as a run-once script to get some statistics for one of my projects, but I ended up improving it incrementally until it turned into something friendly enough for other people to use.

Continue reading An easy way to visualize git activity

Adventures in image glitching

Databending is a type of glitch art wherein image files are intentionally corrupted in order to produce an aesthetic effect. Traditionally, these effects are produced by manually manipulating the compressed data in an image file. As a result, this is a trial-and-error process; often, edits will result in the file being completely corrupted and unopenable.

Someone recently asked me whether I knew why databending different types of image files produces different effects — and particularly, why PNG glitches are the most interesting. I didn’t know the answer, but the question inspired me to do a little research (mostly reading the Wikipedia articles about the compression techniques used in different image formats). I discovered that most compression techniques are not all that different. Most of them just employ some kind of run-length encoding or dictionary encoding, and then a prefix-free coding step. The subtle differences between the compression algorithms could not explain the wildly different effects we observed (except for in JPEGs, perhaps, since the compression is done in the frequency domain). However, PNG used a pre-filtering step which made it stand out.

Continue reading Adventures in image glitching

Blue Coat’s position as a Certificate Authority, and what it means for you.

Recently, Blue Coat Systems has been approved as an intermediate certificate authority. If you aren’t versed in network security, this means nothing to you. However, be assured that it is a big deal.

Blue Coat is primarily known as  a vendor of application-layer (deep packet inspection) firewalls. In other words, they help people sniff your data — primarily in order to censor the Internet. Maybe your company’s firewall blocks access to YouTube and Facebook while you’re at work. That’s no big deal — Blue Coat delivers something a bit more sinister.

Continue reading Blue Coat’s position as a Certificate Authority, and what it means for you.

Unnecessary mathematics: queuing delay for two types of network traffic

This morning I asked myself what I thought was an interesting question:

  • If there are two types of traffic in a network, where one is much less common than the other, will the two types experience different queuing delays?

If you have more common sense than me, you’ve already figured out that the answer is “No.” But it took me about an hour to figure this one out.

Continue reading Unnecessary mathematics: queuing delay for two types of network traffic

What’s inside a PEM file?

As you probably know, PEM is a base64-encoded format with human-readable headers, so you can kind of figure out what you’re looking at if you open it in a text editor.

For example, let’s look at an RSA public key:

-----END PUBLIC KEY-----

We can see that we have a public key just from the header. But what’s all the base64 stuff? If it’s a public key, we know that there should be a modulus and an exponent hidden in there. And there’s also probably some kind of hint that this is an RSA key, as opposed to some other type of key.

That base-64 payload actually has the potential to contain a lot of information. It’s an ASN.1 (Abstract Syntax Notation One) data structure, encoded in a format called DER (Distinguished Encoding Rules), and then finally base64-encoded before the header and footer are attached.

ASN.1 is used for a lot of stuff besides keys and certificates; it is a generic file format that can be used to serialize any kind of hierarchical data. DER is just one of many encoding formats for an ASN.1 structure — e.g. there is an older format called BER (Basic Encoding Rules) and an XML-based format called XER (you can probably guess what that stands for).

But anyway, what is inside that public key? How can we find out?

Continue reading What’s inside a PEM file?

My first adventure with Let’s Encrypt on nginx, dovecot, and postfix

Let’s Encrypt is old news by now. It launched back in December, so it has been giving away free DV certificates for nearly four months now. Being a TA for a Computer Security course, it’s about time that I actually tried it out.


Let’s Encrypt is a free certificate authority. They grant TLS certificates that you can use to secure your webserver. They are Domain Validated (DV) certificates, which means they will verify that you control the domain name you are trying to certify.

Continue reading My first adventure with Let’s Encrypt on nginx, dovecot, and postfix

Demonstrating the double-DES meet-in-the-middle attack


DES (Data Encryption Standard) is an old-school block cipher which has been around since the 1970s. It only uses a 56-bit key, which is undeniably too short for use in the modern day. Between the realization that DES is weak in the late 90s and the invention of AES in the early 2000’s, Triple-DES had a brief time to shine.

Triple-DES is just what it sounds like: you run the DES algorithm three times. You use two 56-bit keys, K1 and K2, and apply them in the order K1K2K1. The result is a cipher with 112 bits of key strength.

Students often ask me, why not just encrypt twice: K1, K2, done? The reason is that this construction is vulnerable to a particular chosen-plaintext attack, which we call the meet-in-the-middle attack. That is, if the attacker knows your plaintext in addition to your ciphertext, he doesn’t have to try all 2^112 keys. The maximum amount of work he has to perform is actually only 2^56 — not much more than to break single DES.

Continue reading Demonstrating the double-DES meet-in-the-middle attack

Digital privacy: Where do you draw the line?

I recently had a friendly debate on IRC about how much privacy you really need for it to be considered “enough.” Arguably, the answer is “there is never enough.” And still, there are plenty of people who would be perfectly content having no privacy at all.

Many argue that the key to privacy is actually transparency. If we use open source software, we can all audit it to be sure it is free of backdoors and bugs which may leak information. Perhaps this is why increasingly many users (but unfortunately still less than 2% overall) now prefer Linux to proprietary operating systems. But even among Linux users, there is not much knowledge about how deep the privacy rabbit hole goes.

Before I return to the debate about how much privacy is really sufficient, I’d like to give a quick overview of some of the tools one can use to preserve their privacy. I will discuss four levels of privacy: network, OS, firmware, and hardware.

Continue reading Digital privacy: Where do you draw the line?

A fun experiment with Twilio

I first heard about Twilio a long, long time ago. As Google Voice faded out of relevance, it took the lead in the mobile-communication-as-a-service market. However, I had never had the chance (or inclination) to play around with its API until today.

About 12 hours after we landed back in the US from our holiday in Mexico, Lynsey departed once again — this time to the Plant and Animal Genome conference (PAG) in San Diego. She asked me to supply her with pictures of our cats for the duration of her trip. I told her I would send her a cat pic every hour, on the hour.

I didn’t realize what I had gotten myself into until I had already deposited $20 into a new Twilio account and spent 2 hours coding away… Though my goal was just to send some photos of cats, I had developed a pretty general application that lets you build a queue of MMSes to be disseminated at a constant rate.

Continue reading A fun experiment with Twilio

What goes around comes around: Is the Juniper backdoor the feds’ fault?

By now, everyone should know that Dual EC DRBG is unsafe. Way back in 2013, it was revealed that it has many weaknesses, some of which were traced back to the NSA (with the help of Edward Snowden’s leaks). Whether or not it really was inserted by the NSA, the backdoor has been proven to exist and is easily exploitable.

For those of you who don’t know, a DRBG, or “deterministic random bit generator,” is essentially just a way for computers to generate random numbers. We need random numbers for cryptography — they form the basis of our secret keys. If a random number generator is compromised, then the keys it produces are unsafe to use.

Continue reading What goes around comes around: Is the Juniper backdoor the feds’ fault?